LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Closed Thread
  Search this Thread
Old 07-31-2020, 09:09 AM   #1
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,639

Rep: Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972
PSA: Bad GRUB security patch


Pat and all Slackers using GRUB,

Wednesday a GRUB boot loader security flaw was announced around the web. Thursday many major distro maintainers hastily released a patch. Hastily releasing a patch was in poor judgment because exploiting the flaw requires access to a computer and admin privileges.

This patch is causing many systems to fail to boot. Rather than boot normally the computer drops to a GRUB rescue prompt.

I confirmed the failure on a Debian system.

Pat, please let the dust settle on this mess before pushing a patched GRUB package to 14.2 and Current.

Thanks!
 
Old 07-31-2020, 09:37 AM   #2
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,429

Rep: Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020
I do not use GRUB2, but our esteemed Didier Spaier has already given a comprehensive post
The theres-a-hole-in-the-boot link is informative. The problems will not be in the patches, but rather from the endeavours to fix the breakage in the chain of trust.
 
1 members found this post helpful.
Old 07-31-2020, 10:34 AM   #3
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,639

Original Poster
Rep: Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972
The Debian systems I tested do not use secure boot. The patches broke GRUB. All I am asking Pat is proceed in his usual cautious manner before pushing patches.

I use GRUB on Slackware systems as do other Slackers. If Pat wants to push proposed GRUB patches to the /testing branch I'll be happy to help test.
 
3 members found this post helpful.
Old 07-31-2020, 11:03 AM   #4
ponce
LQ Guru
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 5,529

Rep: Reputation: Disabled
yes, it seems other distributions already shoot themselves in their feet with these grub2 updates

https://bugzilla.redhat.com/show_bug.cgi?id=1861977
https://access.redhat.com/solutions/...a000002goqWAAQ
https://bugs.centos.org/view.php?id=17631

Last edited by ponce; 07-31-2020 at 01:04 PM.
 
1 members found this post helpful.
Old 07-31-2020, 11:14 AM   #5
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,429

Rep: Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020Reputation: 2020
I totally agree that this issue is being overblown. A company (with a name that I cannot dissociate mentally from eclampsia) has found a flaw that at this time can only be exploited with root privileges. With that level of access, attack on UEFI seems a low priority.
The fallout from this will be huge. The introduction of UEFI was driven by the Microsoft desire to protect the Windows 10 operating system. Microsoft leveraged the power it has over hardware manufacturers to introduce the required hardware changes. To avoid complaints of unfair competition, Microsoft needed to allow alternative operating systems to be run. The flaws in the adopted mechanism are now being exposed. There is now an impossible balance between the competing interests of administrators requiring secure systems as an immediate priority versus administrators requiring stable functional systems for hundreds/thousands of users.
 
3 members found this post helpful.
Old 07-31-2020, 11:15 AM   #6
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,436

Rep: Reputation: Disabled
@upnort: to make use of the information you gave we need to know which is the "bad" patch.

If you use Debian stable aka Buster I assume that this patch is included in http://security.debian.org/debian-se....debian.tar.xz. However the 'series' file in the debin/patches directory mentions 170 patches (including CVE-2020-10713.patch), so it's hard to know which one is bad...

EDIT: looking at the Centos link provided by Matteo faulty patch could be in mokutil or shim, not grub itself. If this is correct Slackware users are not at risk at all

Anyway I don't think that Patrick will ever apply an untested patch, so we are safe.

Last edited by Didier Spaier; 07-31-2020 at 11:51 AM.
 
Old 07-31-2020, 11:36 AM   #7
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 680

Rep: Reputation: Disabled
It's apparently not affected, because Slackware does not patch the upstream grub sources with distribution specific stuff. Plus it doesn't even install grub by default.
According to this source, Gentoo is not affected either.
 
Old 07-31-2020, 11:55 AM   #8
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,639

Original Poster
Rep: Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972
Quote:
found a flaw that at this time can only be exploited with root privileges. With that level of access, attack on UEFI seems a low priority.
Exactly. There was no need to hastily push packages without testing.

Quote:
to make use of the information you gave we need to know which is the "bad" patch.
I agree. On two Debian systems I tested both failed to boot. This is the Slackware forum but since you asked there were six related Debian packages released yesterday:

grub2-common_2.02+dfsg1-20+deb10u2_amd64.deb
grub-pc-bin_2.02+dfsg1-20+deb10u2_amd64.deb
grub-efi-amd64_2.02+dfsg1-20+deb10u2_amd64.deb
grub-efi-amd64-bin_2.02+dfsg1-20+deb10u2_amd64.deb
grub-common_2.02+dfsg1-20+deb10u2_amd64.deb
grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u2_amd64.deb

Both of the systems I tested are not using EFI or secure boot so those packages were not the cause.

I had to boot with a Live USB and chroot into the systems to restore the older package versions. I haven't yet found a long-term solution other than holding the packages.

Quote:
Slackware does not patch the upstream grub sources with distribution specific stuff.
I don't know if the buggy packages are distro specific or derived from the upstream GRUB sources. The hasty patched packages affect Red Hat/CentOS systems too.

This entire event was handled -- horribly.

My primary intent for this thread is to provide a simple warning to Pat and Slackers. I'm not interested in Yet Another Ten Page Debate About Nothing Forum Thread.
 
1 members found this post helpful.
Old 07-31-2020, 11:57 AM   #9
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2.1.2 on Lenovo Thinkpad W520
Posts: 9,436

Rep: Reputation: Disabled
Quote:
Originally Posted by elcore View Post
It's apparently not affected, because Slackware does not patch the upstream grub sources with distribution specific stuff. Plus it doesn't even install grub by default.
According to this source, Gentoo is not affected either.
This is about CVE 2020-15707, mentioned by Daniel Kiper as additional bug, not the main issue filed as CVE-2020-10713.
 
Old 07-31-2020, 12:50 PM   #10
elcore
Member
 
Registered: Sep 2014
Distribution: Slackware
Posts: 680

Rep: Reputation: Disabled
Quote:
Originally Posted by Didier Spaier View Post
This is about CVE 2020-15707, mentioned by Daniel Kiper as additional bug, not the main issue filed as CVE-2020-10713.
Sure thing, but from what I can tell; it's the distributions' patch which makes systems not boot properly, and not the original exploit.

Quote:
Originally Posted by upnort View Post
I'm not interested in Yet Another Ten Page Debate About Nothing Forum Thread.
You quote me to complain about these unrelated things I have no control over, assuming and/or implying I have had some part in it?
How is this my problem? Aren't there moderators here to address your concern?
 
Old 07-31-2020, 01:22 PM   #11
drgibbon
Member
 
Registered: Nov 2014
Distribution: Slackware64 -current
Posts: 722

Rep: Reputation: 468Reputation: 468Reputation: 468Reputation: 468Reputation: 468
I prefer GRUB also, and am not overly concerned about this exploit. It would be nice to have it patched, but a functioning boot process is a bit more important!
 
Old 07-31-2020, 01:32 PM   #12
Aeterna
Member
 
Registered: Aug 2017
Location: Terra Mater
Distribution: VM Host: Slackware-current, VM Guests: Artix, CRUX, FreeBSD, Funtoo, HardenedBSD, OpenIndiana
Posts: 345

Rep: Reputation: Disabled
I have latest antiX (based on Debian Buster without systemd), the only module that is not installed is

grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u2_amd64.deb

system boots without issues after latest update.
 
Old 07-31-2020, 02:20 PM   #13
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,639

Original Poster
Rep: Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972
Quote:
How is this my problem? Aren't there moderators here to address your concern?
Not your problem. I wasn't citing you or speaking to you. I was being generic because so many Slackware forum threads these days degenerate.
 
Old 07-31-2020, 02:24 PM   #14
upnort
Senior Member
 
Registered: Oct 2014
Distribution: Slackware, Proxmox, Debian, CentOS
Posts: 1,639

Original Poster
Rep: Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972Reputation: 972
Not related to Slackware (hopefully), but at work on the Debian systems I support the solution is rather straightforward. After updating and before rebooting, run grub-install and update-grub.

Quote:
Sure thing, but from what I can tell; it's the distributions' patch which makes systems not boot properly, and not the original exploit.
I am not surprised if that is the case
 
Old 07-31-2020, 07:29 PM   #15
gus3
Member
 
Registered: Jun 2014
Distribution: Slackware (x86 and ARM)
Posts: 335

Rep: Reputation: Disabled
Thumbs down

Quote:
Originally Posted by allend View Post
to fix the breakage in the chain of trust.
Right now, I'm so glad I blew away the EFI partition system and went back to the "legacy BIOS" boot chain.

EFI was just another Microsoft "innovation" waiting to be exploited.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PSA: Flatpak is a security nightmare YesItsMe Linux - Security 1 10-18-2018 07:20 PM
Infinite Grub Loop: GRUB GRUB GRUB GRUB GRUB GRUB GRUB GRUB GRUB GRUB... beeblequix MEPIS 2 11-02-2013 10:56 PM
LXer: PSA Peugeot CitroŽn Chooses SUSE Linux Enterprise Desktop from Novell LXer Syndicated Linux News 0 01-31-2007 02:21 PM
Configuring my older Rio mp3 player, a Nike psa Ed-MtnBiker Fedora 0 01-16-2005 11:31 PM
Nike PSA MP3 player iainvt Linux - Software 1 07-14-2004 09:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration