diff options
Diffstat (limited to 'source/a/grub')
| -rw-r--r-- | source/a/grub/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch | 45 | ||||
| -rw-r--r-- | source/a/grub/etc.default.grub | 4 | ||||
| -rwxr-xr-x | source/a/grub/grub.SlackBuild | 50 |
3 files changed, 84 insertions, 15 deletions
diff --git a/source/a/grub/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch b/source/a/grub/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch new file mode 100644 index 000000000..5701b5475 --- /dev/null +++ b/source/a/grub/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch @@ -0,0 +1,45 @@ +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert <hecmargi@upv.es> +Date: Fri, 13 Nov 2015 16:21:09 +0100 +Subject: [PATCH] Fix security issue when reading username and password + + This patch fixes two integer underflows at: + * grub-core/lib/crypto.c + * grub-core/normal/auth.c + +Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es> +Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es> +--- + grub-core/lib/crypto.c | 2 +- + grub-core/normal/auth.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 010e550..524a3d8 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + continue; +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c +index c6bd96e..5782ec5 100644 +--- a/grub-core/normal/auth.c ++++ b/grub-core/normal/auth.c +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + grub_printf ("\b"); +-- +1.9.1 + diff --git a/source/a/grub/etc.default.grub b/source/a/grub/etc.default.grub index f612a35a7..b2d4080a0 100644 --- a/source/a/grub/etc.default.grub +++ b/source/a/grub/etc.default.grub @@ -24,5 +24,5 @@ GRUB_CMDLINE_LINUX="" # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux #GRUB_DISABLE_LINUX_UUID=true -# Uncomment to disable generation of recovery mode menu entrys -#GRUB_DISABLE_LINUX_RECOVERY="true" +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY="true" diff --git a/source/a/grub/grub.SlackBuild b/source/a/grub/grub.SlackBuild index 5a0c27e81..ba7ecd8b1 100755 --- a/source/a/grub/grub.SlackBuild +++ b/source/a/grub/grub.SlackBuild @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright 2013 Patrick J. Volkerding, Sebeka, Minnesota, USA +# Copyright 2013, 2016 Patrick J. Volkerding, Sebeka, Minnesota, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -20,16 +20,17 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# Modified 2016 by Eric Hameleers <alien@slackware.com> for Slackware Live Edition. PKGNAM=grub VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-2} +BUILD=${BUILD:-5} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then case "$(uname -m)" in - i?86) ARCH=i486 ;; - arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7lh ;; + i?86) ARCH=i586 ;; + arm*) readelf /usr/bin/file -A | egrep -q "Tag_CPU.*[4,5]" && ARCH=arm || ARCH=armv7hl ;; # Unless $ARCH is already set, use uname -m for all other archs: *) ARCH=$(uname -m) ;; esac @@ -43,18 +44,22 @@ if [ "$ARCH" = "i386" ]; then LIBDIRSUFFIX="" elif [ "$ARCH" = "i486" ]; then SLKCFLAGS="-O2 -march=i486 -mtune=i686" + EFI32_FLAGS=" --with-platform=efi --target=i386 --program-prefix= " LIBDIRSUFFIX="" elif [ "$ARCH" = "i586" ]; then SLKCFLAGS="-O2 -march=i586 -mtune=i686" + EFI32_FLAGS=" --with-platform=efi --target=i386 --program-prefix= " LIBDIRSUFFIX="" elif [ "$ARCH" = "i686" ]; then SLKCFLAGS="-O2 -march=i686" + EFI32_FLAGS=" --with-platform=efi --target=i386 --program-prefix= " LIBDIRSUFFIX="" elif [ "$ARCH" = "s390" ]; then SLKCFLAGS="-O2" LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then SLKCFLAGS="-O2" + EFI32_FLAGS=" --with-platform=efi --target=i386 --program-prefix= " EFI_FLAGS=" --with-platform=efi --target=x86_64 --program-prefix= " LIBDIRSUFFIX="64" elif [ "$ARCH" = "armv7hl" ]; then @@ -96,12 +101,11 @@ zcat $CWD/grub.dejavusansmono.gfxterm.font.diff.gz | patch -p1 --verbose || exit # Terminate EFI several times. This is a workaround for broken UEFI firmware. zcat $CWD/grub.e75fdee420a7ad95e9a465c9699adc2e2e970440.terminate.efi.several.times.diff.gz | patch -p1 --verbose || exit 1 -for i in 1 2 ; do - # Skip to regular build if EFI support is not requested: - if [ i = 1 -a -z "$EFI_FLAGS" ]; then - continue; - fi +# Fix security issue when reading username and password: +zcat $CWD/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch.gz | patch -p1 --verbose || exit 1 +build_grub() { + EFI_DO="$*" # Configure: CFLAGS="$SLKCFLAGS" \ ./configure \ @@ -112,16 +116,26 @@ for i in 1 2 ; do --infodir=/usr/info \ --mandir=/usr/man \ --disable-werror \ - $EFI_FLAGS + $EFI_DO # Build and install: make clean make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG || exit 1 - # Clear $EFI_FLAGS for a regular build: - unset EFI_FLAGS -done + # Clear $EFI_DO : + unset EFI_DO +} + +# Build 32bit and 64bit efi targets if requested: +if [ -n "$EFI32_FLAGS" ]; then + build_grub $EFI32_FLAGS +fi +if [ -n "$EFI_FLAGS" ]; then + build_grub $EFI_FLAGS +fi +# Always end with regular build: +build_grub # Preserve the contents of /etc/grub.d/40_custom: mv $PKG/etc/grub.d/40_custom $PKG/etc/grub.d/40_custom.new @@ -132,9 +146,19 @@ mv $PKG/etc/grub.d/40_custom $PKG/etc/grub.d/40_custom.new find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null ) +# Put bash-completion file in system directory: +mkdir -p $PKG/usr/share/bash-completion/completions/ +mv $PKG/etc/bash_completion.d/grub \ + $PKG/usr/share/bash-completion/completions/grub +rmdir --parents $PKG/etc/bash_completion.d 2>/dev/null + +# Install default options file: mkdir -p $PKG/etc/default cat $CWD/etc.default.grub > $PKG/etc/default/grub.new +# Create a directory for grub.cfg: +mkdir -p $PKG/boot/grub + # Add fonts, if found on the system: FONT_SIZE=${FONT_SIZE:-19} if [ -r /usr/share/fonts/TTF/unifont.ttf ]; then |