SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Wednesday a GRUB boot loader security flaw was announced around the web. Thursday many major distro maintainers hastily released a patch. Hastily releasing a patch was in poor judgment because exploiting the flaw requires access to a computer and admin privileges.
This patch is causing many systems to fail to boot. Rather than boot normally the computer drops to a GRUB rescue prompt.
I confirmed the failure on a Debian system.
Pat, please let the dust settle on this mess before pushing a patched GRUB package to 14.2 and Current.
I do not use GRUB2, but our esteemed Didier Spaier has already given a comprehensive post
The theres-a-hole-in-the-boot link is informative. The problems will not be in the patches, but rather from the endeavours to fix the breakage in the chain of trust.
The Debian systems I tested do not use secure boot. The patches broke GRUB. All I am asking Pat is proceed in his usual cautious manner before pushing patches.
I use GRUB on Slackware systems as do other Slackers. If Pat wants to push proposed GRUB patches to the /testing branch I'll be happy to help test.
I totally agree that this issue is being overblown. A company (with a name that I cannot dissociate mentally from eclampsia) has found a flaw that at this time can only be exploited with root privileges. With that level of access, attack on UEFI seems a low priority.
The fallout from this will be huge. The introduction of UEFI was driven by the Microsoft desire to protect the Windows 10 operating system. Microsoft leveraged the power it has over hardware manufacturers to introduce the required hardware changes. To avoid complaints of unfair competition, Microsoft needed to allow alternative operating systems to be run. The flaws in the adopted mechanism are now being exposed. There is now an impossible balance between the competing interests of administrators requiring secure systems as an immediate priority versus administrators requiring stable functional systems for hundreds/thousands of users.
@upnort: to make use of the information you gave we need to know which is the "bad" patch.
If you use Debian stable aka Buster I assume that this patch is included in http://security.debian.org/debian-se....debian.tar.xz. However the 'series' file in the debin/patches directory mentions 170 patches (including CVE-2020-10713.patch), so it's hard to know which one is bad...
EDIT: looking at the Centos link provided by Matteo faulty patch could be in mokutil or shim, not grub itself. If this is correct Slackware users are not at risk at all
Anyway I don't think that Patrick will ever apply an untested patch, so we are safe.
Last edited by Didier Spaier; 07-31-2020 at 11:51 AM.
It's apparently not affected, because Slackware does not patch the upstream grub sources with distribution specific stuff. Plus it doesn't even install grub by default.
According to this source, Gentoo is not affected either.
found a flaw that at this time can only be exploited with root privileges. With that level of access, attack on UEFI seems a low priority.
Exactly. There was no need to hastily push packages without testing.
Quote:
to make use of the information you gave we need to know which is the "bad" patch.
I agree. On two Debian systems I tested both failed to boot. This is the Slackware forum but since you asked there were six related Debian packages released yesterday:
Both of the systems I tested are not using EFI or secure boot so those packages were not the cause.
I had to boot with a Live USB and chroot into the systems to restore the older package versions. I haven't yet found a long-term solution other than holding the packages.
Quote:
Slackware does not patch the upstream grub sources with distribution specific stuff.
I don't know if the buggy packages are distro specific or derived from the upstream GRUB sources. The hasty patched packages affect Red Hat/CentOS systems too.
This entire event was handled -- horribly.
My primary intent for this thread is to provide a simple warning to Pat and Slackers. I'm not interested in Yet Another Ten Page Debate About Nothing Forum Thread.
It's apparently not affected, because Slackware does not patch the upstream grub sources with distribution specific stuff. Plus it doesn't even install grub by default.
According to this source, Gentoo is not affected either.
This is about CVE 2020-15707, mentioned by Daniel Kiper as additional bug, not the main issue filed as CVE-2020-10713.
This is about CVE 2020-15707, mentioned by Daniel Kiper as additional bug, not the main issue filed as CVE-2020-10713.
Sure thing, but from what I can tell; it's the distributions' patch which makes systems not boot properly, and not the original exploit.
Quote:
Originally Posted by upnort
I'm not interested in Yet Another Ten Page Debate About Nothing Forum Thread.
You quote me to complain about these unrelated things I have no control over, assuming and/or implying I have had some part in it?
How is this my problem? Aren't there moderators here to address your concern?
I prefer GRUB also, and am not overly concerned about this exploit. It would be nice to have it patched, but a functioning boot process is a bit more important!
Not related to Slackware (hopefully), but at work on the Debian systems I support the solution is rather straightforward. After updating and before rebooting, run grub-install and update-grub.
Quote:
Sure thing, but from what I can tell; it's the distributions' patch which makes systems not boot properly, and not the original exploit.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.