subject:"Re\: Fedora 25 GRUB security issue"

Re: Fedora 25 GRUB security issue

2017-08-03 Thread Peter Jones

On Thu, Aug 03, 2017 at 10:21:43AM -0600, Chris Murphy wrote:
> security@ and security-team@ have no meaningful activity in at least
> the last 6 months so I'm posting this here.
> 
> grub2 incorrectly initialises the boot_params from the kernel image
> https://bugzilla.redhat.com/show_bug.cgi?id=1418360
> 
> The gist is that the bug means the kernel can't determine UEFI secure
> boot state, considers it not enabled, resulting in the kernel not
> enabling certain checks it otherwise does when it knows secure boot is
> enabled. Ergo, users who have secure boot enabled are not getting the
> full benefit of secure boot, and this fallback is pretty much silent
> (you'd have to be looking at kernel messages to know you're not
> protected).
> 
> Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It
> was proposed as a blocker bug, bug was rejected because it doesn't
> have a formal security evaluation.
> 
> However, Fedora 24 didn't get the fix before going EOL. And Fedora 25
> and Rawhide both still have this problem. And I think it needs
> attention.

My understanding is that dhowells was going to revert part of the kernel
change that led to this in F25.  I didn't realize we'd pushed the
problem back to F24 as well, so I guess we ought to solve it there
before it's too late.

For rawhide I've built the fixed grub2 package.  I guess I can build one
for F24 and F25 as well, though I was hoping this would be solved by the
kernel not breaking our expectations.

-- 
  Peter
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora 25 GRUB security issue

2017-08-03 Thread Peter Robinson

On Thu, Aug 3, 2017 at 7:04 PM, Chris Murphy  wrote:
> On Thu, Aug 3, 2017 at 11:02 AM, Peter Robinson  wrote:
>> On Thu, Aug 3, 2017 at 5:21 PM, Chris Murphy  wrote:
>>> security@ and security-team@ have no meaningful activity in at least
>>> the last 6 months so I'm posting this here.
>>
>> Have you tried something as simple as reaching out to the maintainer of 
>> grub2?
>>
>
> I don't understand the question. People have been asking for it to be
> fixed in Fedora 25 for over a month in at least one of the various
> related bugs, and there's been no response. And it probably should
> have been fixed in Fedora 24 also rather than running out the clock.

Bugzilla is huge and the grub maintainer is massively overstretched as
he's not pure Fedora so sometimes things get missed when there's
deadlines so often it's worth reaching out directly just in case
they've missed bugzilla.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora 25 GRUB security issue

2017-08-03 Thread Chris Murphy

On Thu, Aug 3, 2017 at 11:02 AM, Peter Robinson  wrote:
> On Thu, Aug 3, 2017 at 5:21 PM, Chris Murphy  wrote:
>> security@ and security-team@ have no meaningful activity in at least
>> the last 6 months so I'm posting this here.
>
> Have you tried something as simple as reaching out to the maintainer of grub2?
>

I don't understand the question. People have been asking for it to be
fixed in Fedora 25 for over a month in at least one of the various
related bugs, and there's been no response. And it probably should
have been fixed in Fedora 24 also rather than running out the clock.

https://bugzilla.redhat.com/show_bug.cgi?id=1418360
https://bugzilla.redhat.com/show_bug.cgi?id=1451071
https://bugzilla.redhat.com/show_bug.cgi?id=1465517
https://bugzilla.redhat.com/show_bug.cgi?id=1470995




-- 
Chris Murphy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora 25 GRUB security issue

2017-08-03 Thread Peter Robinson

On Thu, Aug 3, 2017 at 5:21 PM, Chris Murphy  wrote:
> security@ and security-team@ have no meaningful activity in at least
> the last 6 months so I'm posting this here.

Have you tried something as simple as reaching out to the maintainer of grub2?

> grub2 incorrectly initialises the boot_params from the kernel image
> https://bugzilla.redhat.com/show_bug.cgi?id=1418360
>
> The gist is that the bug means the kernel can't determine UEFI secure
> boot state, considers it not enabled, resulting in the kernel not
> enabling certain checks it otherwise does when it knows secure boot is
> enabled. Ergo, users who have secure boot enabled are not getting the
> full benefit of secure boot, and this fallback is pretty much silent
> (you'd have to be looking at kernel messages to know you're not
> protected).
>
> Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It
> was proposed as a blocker bug, bug was rejected because it doesn't
> have a formal security evaluation.
>
> However, Fedora 24 didn't get the fix before going EOL. And Fedora 25
> and Rawhide both still have this problem. And I think it needs
> attention.
>
>
> Thanks,
>
> --
> Chris Murphy
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora 25 GRUB security issue

2017-08-03 Thread Matthew Miller

On Thu, Aug 03, 2017 at 10:21:43AM -0600, Chris Murphy wrote:
> However, Fedora 24 didn't get the fix before going EOL. And Fedora 25
> and Rawhide both still have this problem. And I think it needs
> attention.

I suppose this is mildly pedantic since I'd be shocked if it makes any
difference here, but F24 isn't actually EOL for another 5 days.

-- 
Matthew Miller

Fedora Project Leader
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora 25 GRUB security issue

2017-08-03 Thread Florian Weimer

On 08/03/2017 06:21 PM, Chris Murphy wrote:

> However, Fedora 24 didn't get the fix before going EOL. And Fedora 25
> and Rawhide both still have this problem. And I think it needs
> attention.

Does this really matter?  The signed binaries are out there, and I don't
think we have revocation working yet.

And if we revoke the old GRUB versions, it will be impossible to
downgrade, and some users who update in the wrong order will probably be
locked out of their systems.

Thanks,
Florian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora 25 GRUB security issue

Re: Fedora 25 GRUB security issue

Re: Fedora 25 GRUB security issue

Re: Fedora 25 GRUB security issue

Re: Fedora 25 GRUB security issue

Re: Fedora 25 GRUB security issue

6 matches

Site Navigation

Mail list logo

Footer information