bug-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: grub security fix for CVE-2008-3896


From: Vesa Jääskeläinen
Subject: Re: grub security fix for CVE-2008-3896
Date: Mon, 06 Oct 2008 21:52:33 +0300
User-agent: Thunderbird 2.0.0.17 (Windows/20080914)

Craig wrote:
> Hello,
> is/will there be a fix for CVE-2008-3896 in grub legacy?
> 
> Best regards,
> 
> Craig

Hi Craig,

a) No-one is really working on grub legacy.

b) The details? If it is previous "hack" to modify grub or bios in order
attack vector to be usable, we do not really see this as a grub problem
as grub and bios is not then in authentic state and that problem needs
completely different protection.

If it is about password visible in memory; in most OSes you require root
privileges in order to read memory so at that point the game is already
lost as attacker can do anything anyway.

I have nothing against clearing memory having the password input. But I
do not see anyone making any changes to grub legacy. For grub 2 the
story is completely different of course.

Thanks,
Vesa Jääskeläinen




reply via email to

[Prev in Thread] Current Thread [Next in Thread]