GNU bug report logs - #47185
grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Tue, 16 Mar 2021 08:09:20 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 47185 <at> debbugs.gnu.org:


Received: (at 47185) by debbugs.gnu.org; 17 Mar 2021 02:15:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 22:15:49 2021
Received: from localhost ([127.0.0.1]:41573 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lMLii-0002ag-NM
	for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 22:15:49 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56911)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lMLif-0002aT-Re
 for 47185 <at> debbugs.gnu.org; Tue, 16 Mar 2021 22:15:35 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id C4E395C0114;
 Tue, 16 Mar 2021 22:15:28 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Tue, 16 Mar 2021 22:15:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=TmM8nZggMOWRR3FpZJmo1quL
 D+dhdlJloH86S3xiys4=; b=ni4CPL2cYfKFUpi2jpzDYhJehF6fu/Av69r/vp9y
 V1hG+yhcZ7fpVzZTzcYOlhLG4g0CHd0NtGa4lNLBH0Bd6nKVZchZM0oL2U61fxwj
 WqXr5bELZKIrx4GzUmR3hKxTP5c3Cg4oR2Juany69+QDBCrfzOC3O+LJwzpqnrUk
 VzI=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=TmM8nZ
 ggMOWRR3FpZJmo1quLD+dhdlJloH86S3xiys4=; b=ki/PoP65ZRYtr1AOPNmBIe
 7YGhp7phem8Mrb+TdBF94mEnR7hoaD0v5wk3jmOWv4M+hlqH35LMDYQ6aD6Z2Q46
 nkXOQBDR0aqyLr00Yw2rvYwVFgeg2MH8wjf5QMmnt1QmYYOP48T+Kn7qWCqm7F7P
 bUyeBJrqc45egWXPAgosOBgJ6w4xWsnKwnXPQpJ8h4TFxgtIXyPn9BON2jrrVp+r
 DJrQavfrERq7Ra1q0p7lSUID1hTiyJqIVCpEenzS/QbLfCuj6tZ8LWvIecs8eAFB
 zavqyIDjLv3h5hltVpinXN5GO1yapidADQjb/urCktOBgU+Bq9ZO2hY1yfWRtvnA
 ==
X-ME-Sender: <xms:P2ZRYPT3lvttIhZse7lj8q-p2wJcXM4spF83XjYZAW2fqXMeGnw8OA>
 <xme:P2ZRYAzn8jZPaZ4ti5ue3TihhII5Q0YQbxj43d6BP2IbgxiZkp4a2htnl_Iv7gkuI
 0VTNmxgVqvT4HqZBQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeffedggeduucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtro
 dttddtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr
 rhhirdhnrghmvgeqnecuggftrfgrthhtvghrnhepgffhjeelveetueevhfehhefhvefgge
 evtdetteejhfeffedvhfdvtdejjeekudefnecukfhppedutddtrdduuddrudeiledruddu
 keenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg
 hosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:P2ZRYE2Acf-5FP_8bEjXmMgabMp0uEOlsvCPQdXihC6Rok-qW-husQ>
 <xmx:P2ZRYPA6eA4P2ZXSXIdBZ4q5Pv-92WdHc4xSLiYEFMTC67RmI--nMw>
 <xmx:P2ZRYIh8qN8FA3ClV8vrRNdyQ6r41CYka1Z6czG3mWDuEYftq5MzLw>
 <xmx:QGZRYAJ6v_JLWAc3-Bn2yyo9v4RBd3N-lvqL_6OS4RK4SppWe--mpQ>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id C842E108005C;
 Tue, 16 Mar 2021 22:15:27 -0400 (EDT)
Date: Tue, 16 Mar 2021 22:15:26 -0400
From: Leo Famulari <leo@HIDDEN>
To: Mark H Weaver <mhw@HIDDEN>
Subject: Re: bug#47185: grub2 package is vulnerable to CVE-2020-14372,
 CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
 CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
Message-ID: <YFFmPgweFmoXEuSx@HIDDEN>
References: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
 <3de2a6393156da40334d95993e15b22ca0eae5df.camel@HIDDEN>
 <87pmzyirt1.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87pmzyirt1.fsf@HIDDEN>
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47185
Cc: =?iso-8859-1?B?TOlv?= Le Bouter <lle-bout@HIDDEN>,
 47185 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On Tue, Mar 16, 2021 at 07:47:43PM -0400, Mark H Weaver wrote:
> I think we should refrain from updating GRUB until there's an official
> upstream stable release.  Even then, I would advise making an effort to
> test it on Guix systems, using several different system configurations,
> before pushing it to 'master'.
> 
> What do you think?

I agree with Mark that we should tread carefully. Also, I am always
available to test GRUB changes. I have a computer dedicated to testing
changes with Guix System.




Information forwarded to bug-guix@HIDDEN:
bug#47185; Package guix. Full text available.

Message received at 47185 <at> debbugs.gnu.org:


Received: (at 47185) by debbugs.gnu.org; 16 Mar 2021 23:49:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 19:49:23 2021
Received: from localhost ([127.0.0.1]:41480 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lMJRD-0007br-07
	for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 19:49:23 -0400
Received: from world.peace.net ([64.112.178.59]:51518)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mhw@HIDDEN>) id 1lMJRA-0007bd-Mv
 for 47185 <at> debbugs.gnu.org; Tue, 16 Mar 2021 19:49:21 -0400
Received: from mhw by world.peace.net with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mhw@HIDDEN>)
 id 1lMJR4-0000cI-EE; Tue, 16 Mar 2021 19:49:14 -0400
From: Mark H Weaver <mhw@HIDDEN>
To: =?utf-8?Q?L=C3=A9o?= Le Bouter <lle-bout@HIDDEN>, 47185 <at> debbugs.gnu.org
Subject: Re: bug#47185: grub2 package is vulnerable to CVE-2020-14372,
 CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
 CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
In-Reply-To: <3de2a6393156da40334d95993e15b22ca0eae5df.camel@HIDDEN>
References: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
 <3de2a6393156da40334d95993e15b22ca0eae5df.camel@HIDDEN>
Date: Tue, 16 Mar 2021 19:47:43 -0400
Message-ID: <87pmzyirt1.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47185
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi L=C3=A9o,

L=C3=A9o Le Bouter via Bug reports for GNU Guix <bug-guix@HIDDEN> writes:
> NOTE: SecureBoot on GNU Guix is not something common at all, so the
> urgency to fix this issue is not as great as if we explicitly
> advertised support for SecureBoot.

I would go further and question whether *anyone* is using SecureBoot
with a Guix system, and moreover whether its feasible to do without
non-trivial development work.

> This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
> we have to test carefully.

Indeed.  I would like to underline this point: GRUB is the only part of
a Guix system that cannot be easily rolled back if it breaks.  If we
make changes to GRUB that causes breakage for some minority of users,
those users could end up with an unbootable system, requiring the use of
a rescue disk to repair.

Therefore, we should be *very* careful about updating our GRUB package,
especially for the sake of bugs that almost certainly do not affect Guix
users.

I think we should refrain from updating GRUB until there's an official
upstream stable release.  Even then, I would advise making an effort to
test it on Guix systems, using several different system configurations,
before pushing it to 'master'.

What do you think?

      Regards,
        Mark




Information forwarded to bug-guix@HIDDEN:
bug#47185; Package guix. Full text available.

Message received at 47185 <at> debbugs.gnu.org:


Received: (at 47185) by debbugs.gnu.org; 16 Mar 2021 08:36:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 04:36:44 2021
Received: from localhost ([127.0.0.1]:38139 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lM5C0-0003tV-Dy
	for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 04:36:44 -0400
Received: from mail.zaclys.net ([178.33.93.72]:45915)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lM5Bz-0003t7-9P
 for 47185 <at> debbugs.gnu.org; Tue, 16 Mar 2021 04:36:43 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12G8abG4019520
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47185 <at> debbugs.gnu.org>; Tue, 16 Mar 2021 09:36:37 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12G8abG4019520
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615883797;
 bh=t0Mjt3zU2x1UyIP4K5/d2RV92Ey6aY598XFRvlAu1kU=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=cZCwkbdhpnE/5QSfV1MWLpMp5NgEGcXsO94vZtWRpZM26CcvycQXh9O3yVWIW+Iz3
 4SuMvEbI9MarZHaSVSdst5fJfY6XGn6DYd38s6eLeT3DuoCQpjRZvoQTqy0pnhgOug
 H2MFIZ3Ru5nXQmRg92/68sRGSHcZ/mR9N6vyHsZE=
Message-ID: <3de2a6393156da40334d95993e15b22ca0eae5df.camel@HIDDEN>
Subject: Re: bug#47185: grub2 package is vulnerable to CVE-2020-14372,
 CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
 CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: 47185 <at> debbugs.gnu.org
Date: Tue, 16 Mar 2021 09:36:36 +0100
In-Reply-To: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
References: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-apaclQv1BiQJt/Qh8yos"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47185
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-apaclQv1BiQJt/Qh8yos
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

NOTE: SecureBoot on GNU Guix is not something common at all, so the
urgency to fix this issue is not as great as if we explicitly
advertised support for SecureBoot.

--=-apaclQv1BiQJt/Qh8yos
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQbhQACgkQRaix6GvN
EKZykg//SI+lx2UdH/BigTfKPTCC8W+HY2hB1Af+EfxrMRP2aeYubM0R8D1qeHE8
GtLb37rFWF2IVD3A08CiOIDlrzQqvRaTefvwuXl8G1DiaCN16/AiVRBl56p0o6KY
6ihNk4EssaTgsEK6G9vdfM+oLsSaGY8jpRr3nz1jnjz/mzl8URYMjKVm/Cp6Mwys
6NGKquG6QSe4GrxNolrzNNhhkdi6VzluIqn60SBN8bMhSRv6+pLFtdvBX7SPLG7V
BPyoa+oJsJVS3wojBnnIeDK+3Ha0NihuKSCexyoZ67sqWXhNfMWne7259kFbFDD1
dm6MjqIhWsNVUnOtTpsGPFcEDCrUl4jmw4DpJavKB2yP3ViTGNrS34IbDJztXXsh
g+/29n6b9NgsXqljrJuu9v75UuGtAo2Z6yJafTL0zrav7HcziKtQFJG1bEMn5Xjg
N8kNoAUOE6NIml2YradplPyo9H0VOZTYS0g2dkaJN3OENmOz9rxa0LQTAYSxLXZC
nE0ZHvauSqKun4FgHcz/ui9bGpkL1tnwcEtVCwMttYFD6bOx1DVh29vbKhnAmXHd
MWBi+gNjX5R8iLbGGtDRr0rItjNRN4q+BYmySRI6fyAh4Tl8HMKfLz+ogxWDaO/I
c94WUg8dbtmCepxVNZM6GpaDYm1H8pZFE3bomMOoVprfiQwxW+s=
=codz
-----END PGP SIGNATURE-----

--=-apaclQv1BiQJt/Qh8yos--





Information forwarded to bug-guix@HIDDEN:
bug#47185; Package guix. Full text available.

Message received at 47185 <at> debbugs.gnu.org:


Received: (at 47185) by debbugs.gnu.org; 16 Mar 2021 08:17:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 04:17:26 2021
Received: from localhost ([127.0.0.1]:38084 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lM4tD-0006oY-E5
	for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 04:17:25 -0400
Received: from mail.zaclys.net ([178.33.93.72]:39523)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lM4sy-0006kX-AB
 for 47185 <at> debbugs.gnu.org; Tue, 16 Mar 2021 04:17:11 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12G8Gwex015835
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <47185 <at> debbugs.gnu.org>; Tue, 16 Mar 2021 09:16:58 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12G8Gwex015835
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615882618;
 bh=JdxGGykwTEpz6x8WxfoeQZToKNxdLR0tm0wAymmhKmw=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=RPYI96dNfEdt+06w30i3+9zNblNrRYQ+90fhYl9Ydom+MJUzv0yWD8l+MLK3hYbLX
 HArLUexDBzODisz8X4WA3pN7AuwRblWOas/Ml2wI7SONsITVx4GF7Uh6z/V5Nxloa7
 WkAzTj2p3/C7kfpz7Emk13u1T5At+jYFYO6tFNF4=
Message-ID: <167a5c8e8451729bc50b530229ca34a832af7530.camel@HIDDEN>
Subject: Re: bug#47185: grub2 package is vulnerable to CVE-2020-14372,
 CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779,
 CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: 47185 <at> debbugs.gnu.org
Date: Tue, 16 Mar 2021 09:16:57 +0100
In-Reply-To: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
References: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-e0zpb/yhcacjcTi+JTe/"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 47185
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-e0zpb/yhcacjcTi+JTe/
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2021-03-16 at 09:08 +0100, L=C3=A9o Le Bouter via Bug reports for
GNU Guix wrote:
> There is no new upstream release so patching this appears to be some
> kind of sport.

There seems to be a release candidate available:=20
https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00219.html

--=-e0zpb/yhcacjcTi+JTe/
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQaXkACgkQRaix6GvN
EKbXcw/+MU6e2edC+EE2beNfVxKyO3v5w47chk0TZeF/XA14kE9ZKjRPSUXhi+MS
IPbbGlqd7HbQKmaX202ItSRvG7iaAo7pWzH0/q9vyTte4veUftJ7TTE1N7UYh4KQ
iAilEG12KY81g0NGIZkU8J1m7oNw4CvL6yG/jQL58zomtSx2godaVu9UEdrFYvxH
FWUJ3sqN9Qj05NM2jx4u/+LVfbvU9ixW5sFxzyivKVPxTDNG5CD3D0m3yrsZOvJP
TFfedbKisa9Zw/f4skEjNt7ceZT+7YqxPohe6inJch6OJG7phkQRVUsiC8oWCxed
tmNU42qrVed4L76CWirV9m3Xw+ingsaJw5hfVSf8vVE4Pi4YOnwWopBpTFlsV5mQ
cLqRDX2NQ1R/tnXi4JfZb5SV0l8CWKc19N9GloJkGeKo+krzKN9tocM2A0JVnX71
YlTVMiEoSKQc2a667o6/80P5XRg8lXYRDhFA/tH/YzgF8U/kwhIfvdGpFNFUv/uV
FHjGFhpF5mmfh8gIC4fKyZQoSKuUwpRFB7vj5/saseIQmGQJyfgUn0lPenb0UGRw
w5MWlpCwAncmd35urHRMpBEpNC+Spo2G64gnAQHeB/QH7B4xfk/Un7bMzAobrK+B
gJpaBiJflbZp5wHmpA/JD92dZYoKpjHWbAMICUBZmzR891y4Zuc=
=y8Jo
-----END PGP SIGNATURE-----

--=-e0zpb/yhcacjcTi+JTe/--





Information forwarded to bug-guix@HIDDEN:
bug#47185; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Mar 2021 08:09:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 16 04:09:07 2021
Received: from localhost ([127.0.0.1]:38077 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lM4l8-00055t-NJ
	for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 04:09:06 -0400
Received: from lists.gnu.org ([209.51.188.17]:58936)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lM4kq-00051M-0l
 for submit <at> debbugs.gnu.org; Tue, 16 Mar 2021 04:08:48 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:38188)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lM4kp-0007C2-IY
 for bug-guix@HIDDEN; Tue, 16 Mar 2021 04:08:39 -0400
Received: from mail.zaclys.net ([178.33.93.72]:34647)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lM4kk-0005HW-ST
 for bug-guix@HIDDEN; Tue, 16 Mar 2021 04:08:39 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12G88W4L014386
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Tue, 16 Mar 2021 09:08:32 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12G88W4L014386
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615882112;
 bh=iQ0mE4+Ex2rkynSlRXF/xvFRnOOEcTfsRIB0f27HkMk=;
 h=Subject:From:To:Date:From;
 b=iTeblbFEtcMpXu5t7650hRYEmIqqGm5WdWUv6wG/XqDlp+kLP6wIQaOfICk6sJK2X
 GW6ea6+mWOk8Wjpe2vQR6NT0/edH2yRh5MidN11qF0S5YGmtkqDSFAjzYJ+YcMX+94
 +SFRwALoQ3hWkt6b7XFisrnw0Hiug2xm6wZgymog=
Message-ID: <ba69ba4020b40dfa182174ea2395cf17195512d5.camel@HIDDEN>
Subject: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632,
 CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225,
 CVE-2021-20233 and CVE-2021-3418
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Tue, 16 Mar 2021 09:08:31 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-pU+8X2Uhm7Uo1IGzq6HE"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-pU+8X2Uhm7Uo1IGzq6HE
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

As outlined by=20
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass202=
1
we have a new wave of GRUB security vulnerabilities around SecureBoot.

There is no new upstream release so patching this appears to be some
kind of sport.

Debian has patched it in this commit:=20
https://salsa.debian.org/grub-team/grub/-/commit/37c2a594625efba8b7f10d18a4=
44393982d2e31f

I see also there's a new concept of SBAT section to ease administrative
efforts around certificate revocation when signed binaries such as some
GRUB2 things become vulnerable (and we don't want them to verify
successfully anymore).

This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
we have to test carefully.

--=-pU+8X2Uhm7Uo1IGzq6HE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBQZ38ACgkQRaix6GvN
EKZD9xAAphY8xFLTczFCZLKoZw4UkFsvMLHdiarD/RoDWFzATRHJqB/vN9chAXfk
Ou56B6qOKtGwevwSlvCNXx9fSQS90Ae3h5HqyqZDgO5I3AVQPcXEYeylgngV18NG
exh0Vzmyd+Ue8mBpFKcLTuph3C5WffJXgFGpGZBcoMlSLOMVGAUKxY8uQLCAoaN1
CsBuIKFV+5kAbK+H480UVanpudMFuzPadWHXlwRbV/uPMDQL5FuFlRQ+ZDbKZQjJ
FdnoR0bKFRfYHofqf/EflEX3V0kYkUI/Kk0uzoEtGfiUVE/iS8r0s2sCvPII7Her
374GCS06zzIguMPtqiO7ikg0oJtJ2I+C9WTfYvZe3bKTRXUXdYUPuTwqQVd9uyuQ
QP4w5wwTCvidJ7iYZoA5Vk27Cs6JnOsds8PG7b4nQhSluATiVckOGz50H1G8SOlE
gnVEuxT6NIqYYtYOLFJfmNTIU4hnKKwSun3DMxr5UgL54M/MnoWrCCPiFO6R8GMR
bICsP59N9EqKGaoYtAxjOdKIQnBT2NBnBcmsGVhakDnS34OX5dd54w2sFjZkSgkK
Rx20A4bg1ODwRJkrICRuhDagg8P47SiovFxQzjiXA3Va1we06yCxpzUXsIK9SyH8
WhEhxgAoh+pi37K4fTj76Tj+NODwYICuTwWx5A0Me5/DrPqkltk=
=f/yr
-----END PGP SIGNATURE-----

--=-pU+8X2Uhm7Uo1IGzq6HE--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47185; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 19 Mar 2021 10:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.