300-CVE-2015-8370.patch 1.0 KB

12345678910111213141516171819202122232425262728293031323334353637383940
  1. From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
  2. From: Hector Marco-Gisbert <hecmargi@upv.es>
  3. Date: Fri, 13 Nov 2015 16:21:09 +0100
  4. Subject: [PATCH] Fix security issue when reading username and password
  5. This patch fixes two integer underflows at:
  6. * grub-core/lib/crypto.c
  7. * grub-core/normal/auth.c
  8. Resolves: CVE-2015-8370
  9. Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
  10. Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
  11. ---
  12. grub-core/lib/crypto.c | 2 +-
  13. grub-core/normal/auth.c | 2 +-
  14. 2 files changed, 2 insertions(+), 2 deletions(-)
  15. --- a/grub-core/lib/crypto.c
  16. +++ b/grub-core/lib/crypto.c
  17. @@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned
  18. break;
  19. }
  20. - if (key == '\b')
  21. + if (key == '\b' && cur_len)
  22. {
  23. if (cur_len)
  24. cur_len--;
  25. --- a/grub-core/normal/auth.c
  26. +++ b/grub-core/normal/auth.c
  27. @@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
  28. break;
  29. }
  30. - if (key == '\b')
  31. + if (key == '\b' && cur_len)
  32. {
  33. if (cur_len)
  34. {