[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 3/5] save_env should work, even if check_signatures=enforce
From: |
Jon McCune |
Subject: |
[PATCH v2 3/5] save_env should work, even if check_signatures=enforce |
Date: |
Fri, 6 Sep 2013 09:18:51 -0700 |
This is accomplished by changing the call used to read the environment
block file to avoid being subject to signature checks. The contents that
are read from the file are discarded, as the only purpose of reading the
file is to construct the blocklist to which the new environment block
will be written. Thus, the actual contents of the file do not pose a
security risk.
Signed-off-by: Jon McCune <address@hidden>
---
grub-core/commands/loadenv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/commands/loadenv.c b/grub-core/commands/loadenv.c
index 49e8004..efecf6f 100644
--- a/grub-core/commands/loadenv.c
+++ b/grub-core/commands/loadenv.c
@@ -406,7 +406,7 @@ grub_cmd_save_env (grub_extcmd_context_t ctxt, int argc,
char **args)
if (!argc)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no variable is specified");
- file = open_envblk_file ((state[0].set) ? state[0].arg : 0);
+ file = open_envblk_file_untrusted ((state[0].set) ? state[0].arg : 0);
if (!file)
return grub_errno;
--
1.8.4
- [PATCH v2 1/5] style: indent --no-tabs --gnu-style grub-core/commands/loadenv.c, (continued)
- [PATCH v2 1/5] style: indent --no-tabs --gnu-style grub-core/commands/loadenv.c, Jon McCune, 2013/09/06
- [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Jon McCune, 2013/09/06
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Andrey Borzenkov, 2013/09/06
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Jonathan McCune, 2013/09/06
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Andrey Borzenkov, 2013/09/07
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Jonathan McCune, 2013/09/09
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Andrey Borzenkov, 2013/09/19
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Jonathan McCune, 2013/09/19
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Vladimir 'φ-coder/phcoder' Serbinenko, 2013/09/19
- Re: [PATCH v2 2/5] load_env support for whitelisting which variables are read from an env file, even if check_signatures=enforce, Andrey Borzenkov, 2013/09/19
[PATCH v2 3/5] save_env should work, even if check_signatures=enforce,
Jon McCune <=
[PATCH v2 4/5] Add -k, --pubkey=FILE support to grub-install command, Jon McCune, 2013/09/06
[PATCH v2 5/5] Additional security-relevant documentation, Jon McCune, 2013/09/06