Описание
Security update for grub2
- Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370)
- Check MS-DOS header to find PE file header. (bsc#954126)
- Use dirname for copying Xen kernel and initrd to esp. (bsc#955493)
- Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty. (bsc#954519)
- Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support LUKS partition in default setup. (bsc#917427, bsc#955609)
- Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP1
grub2-2.02~beta2-73.3
grub2-i386-pc-2.02~beta2-73.3
grub2-snapper-plugin-2.02~beta2-73.3
grub2-x86_64-efi-2.02~beta2-73.3
grub2-x86_64-xen-2.02~beta2-73.3
SUSE Linux Enterprise Server 12 SP1
grub2-2.02~beta2-73.3
grub2-i386-pc-2.02~beta2-73.3
grub2-powerpc-ieee1275-2.02~beta2-73.3
grub2-s390x-emu-2.02~beta2-73.3
grub2-snapper-plugin-2.02~beta2-73.3
grub2-x86_64-efi-2.02~beta2-73.3
grub2-x86_64-xen-2.02~beta2-73.3
SUSE Linux Enterprise Server for SAP Applications 12 SP1
grub2-2.02~beta2-73.3
grub2-i386-pc-2.02~beta2-73.3
grub2-powerpc-ieee1275-2.02~beta2-73.3
grub2-s390x-emu-2.02~beta2-73.3
grub2-snapper-plugin-2.02~beta2-73.3
grub2-x86_64-efi-2.02~beta2-73.3
grub2-x86_64-xen-2.02~beta2-73.3
Ссылки
- Link for SUSE-SU-2015:2387-1
- E-Mail link for SUSE-SU-2015:2387-1
- SUSE Security Ratings
- SUSE Bug 774666
- SUSE Bug 917427
- SUSE Bug 946148
- SUSE Bug 952539
- SUSE Bug 954126
- SUSE Bug 954519
- SUSE Bug 955493
- SUSE Bug 955609
- SUSE Bug 956631
- SUSE CVE CVE-2015-8370 page
Описание
Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:grub2-2.02~beta2-73.3
SUSE Linux Enterprise Desktop 12 SP1:grub2-i386-pc-2.02~beta2-73.3
SUSE Linux Enterprise Desktop 12 SP1:grub2-snapper-plugin-2.02~beta2-73.3
SUSE Linux Enterprise Desktop 12 SP1:grub2-x86_64-efi-2.02~beta2-73.3
Ссылки
- CVE-2015-8370
- SUSE Bug 956631