Re: Fedora 25 GRUB security issue
On Thu, Aug 03, 2017 at 10:21:43AM -0600, Chris Murphy wrote: > security@ and security-team@ have no meaningful activity in at least > the last 6 months so I'm posting this here. > > grub2 incorrectly initialises the boot_params from the kernel image > https://bugzilla.redhat.com/show_bug.cgi?id=1418360 > > The gist is that the bug means the kernel can't determine UEFI secure > boot state, considers it not enabled, resulting in the kernel not > enabling certain checks it otherwise does when it knows secure boot is > enabled. Ergo, users who have secure boot enabled are not getting the > full benefit of secure boot, and this fallback is pretty much silent > (you'd have to be looking at kernel messages to know you're not > protected). > > Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It > was proposed as a blocker bug, bug was rejected because it doesn't > have a formal security evaluation. > > However, Fedora 24 didn't get the fix before going EOL. And Fedora 25 > and Rawhide both still have this problem. And I think it needs > attention. My understanding is that dhowells was going to revert part of the kernel change that led to this in F25. I didn't realize we'd pushed the problem back to F24 as well, so I guess we ought to solve it there before it's too late. For rawhide I've built the fixed grub2 package. I guess I can build one for F24 and F25 as well, though I was hoping this would be solved by the kernel not breaking our expectations. -- Peter ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Fedora 25 GRUB security issue
On Thu, Aug 3, 2017 at 7:04 PM, Chris Murphywrote: > On Thu, Aug 3, 2017 at 11:02 AM, Peter Robinson wrote: >> On Thu, Aug 3, 2017 at 5:21 PM, Chris Murphy wrote: >>> security@ and security-team@ have no meaningful activity in at least >>> the last 6 months so I'm posting this here. >> >> Have you tried something as simple as reaching out to the maintainer of >> grub2? >> > > I don't understand the question. People have been asking for it to be > fixed in Fedora 25 for over a month in at least one of the various > related bugs, and there's been no response. And it probably should > have been fixed in Fedora 24 also rather than running out the clock. Bugzilla is huge and the grub maintainer is massively overstretched as he's not pure Fedora so sometimes things get missed when there's deadlines so often it's worth reaching out directly just in case they've missed bugzilla. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Fedora 25 GRUB security issue
On Thu, Aug 3, 2017 at 11:02 AM, Peter Robinsonwrote: > On Thu, Aug 3, 2017 at 5:21 PM, Chris Murphy wrote: >> security@ and security-team@ have no meaningful activity in at least >> the last 6 months so I'm posting this here. > > Have you tried something as simple as reaching out to the maintainer of grub2? > I don't understand the question. People have been asking for it to be fixed in Fedora 25 for over a month in at least one of the various related bugs, and there's been no response. And it probably should have been fixed in Fedora 24 also rather than running out the clock. https://bugzilla.redhat.com/show_bug.cgi?id=1418360 https://bugzilla.redhat.com/show_bug.cgi?id=1451071 https://bugzilla.redhat.com/show_bug.cgi?id=1465517 https://bugzilla.redhat.com/show_bug.cgi?id=1470995 -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Fedora 25 GRUB security issue
On Thu, Aug 3, 2017 at 5:21 PM, Chris Murphywrote: > security@ and security-team@ have no meaningful activity in at least > the last 6 months so I'm posting this here. Have you tried something as simple as reaching out to the maintainer of grub2? > grub2 incorrectly initialises the boot_params from the kernel image > https://bugzilla.redhat.com/show_bug.cgi?id=1418360 > > The gist is that the bug means the kernel can't determine UEFI secure > boot state, considers it not enabled, resulting in the kernel not > enabling certain checks it otherwise does when it knows secure boot is > enabled. Ergo, users who have secure boot enabled are not getting the > full benefit of secure boot, and this fallback is pretty much silent > (you'd have to be looking at kernel messages to know you're not > protected). > > Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It > was proposed as a blocker bug, bug was rejected because it doesn't > have a formal security evaluation. > > However, Fedora 24 didn't get the fix before going EOL. And Fedora 25 > and Rawhide both still have this problem. And I think it needs > attention. > > > Thanks, > > -- > Chris Murphy > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Fedora 25 GRUB security issue
On Thu, Aug 03, 2017 at 10:21:43AM -0600, Chris Murphy wrote: > However, Fedora 24 didn't get the fix before going EOL. And Fedora 25 > and Rawhide both still have this problem. And I think it needs > attention. I suppose this is mildly pedantic since I'd be shocked if it makes any difference here, but F24 isn't actually EOL for another 5 days. -- Matthew MillerFedora Project Leader ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: Fedora 25 GRUB security issue
On 08/03/2017 06:21 PM, Chris Murphy wrote: > However, Fedora 24 didn't get the fix before going EOL. And Fedora 25 > and Rawhide both still have this problem. And I think it needs > attention. Does this really matter? The signed binaries are out there, and I don't think we have revocation working yet. And if we revoke the old GRUB versions, it will be impossible to downgrade, and some users who update in the wrong order will probably be locked out of their systems. Thanks, Florian ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org