* [Buildroot] Grub security situation
@ 2025-05-07 21:19 Thomas Petazzoni via buildroot
2025-05-08 6:27 ` Arnout Vandecappelle via buildroot
2025-05-08 8:11 ` Peter Korsgaard
0 siblings, 2 replies; 6+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-05-07 21:19 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Perale, Julien Olivain, Romain Naour
Hello,
The latest pkg-stats scan reported to me a number of grub2 security
issues:
grub2 | CVE-2024-45778 | https://security-tracker.debian.org/tracker/CVE-2024-45778
grub2 | CVE-2024-45782 | https://security-tracker.debian.org/tracker/CVE-2024-45782
grub2 | CVE-2024-45779 | https://security-tracker.debian.org/tracker/CVE-2024-45779
grub2 | CVE-2024-45780 | https://security-tracker.debian.org/tracker/CVE-2024-45780
grub2 | CVE-2025-0678 | https://security-tracker.debian.org/tracker/CVE-2025-0678
Looking at that in some details, there are in fact a LOT more CVEs:
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
Many of them are not reported by pkg-stats because NVD has not
annotated those CVEs (meh).
Now when it becomes a bit tricky is that those CVEs are fixed by 73
patches. All of them have been applied upstream, but they are
apparently not trivial to backport on grub 2.12.
See Arch people complaining here:
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00124.html
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00098.html
There are currently 284 commits in grub's master on top of the 2.12
version we're using. Backporting the 73 patches fixing the security
issues seems complicated, and having all 284 commits as patches in
Buildroot also seems not very practical.
So the only solution that I can see right now is to used grub's master
branch (of course with a fixed commit). Of course, for 2025.02, this
means we would bump grub to a newer version that not only has security
fixes, but also a whole bunch of other random changes. But that's how
grub is maintained, and I'm not sure what we can do about it.
Opinions? Thoughts? Suggestions?
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Buildroot] Grub security situation
2025-05-07 21:19 [Buildroot] Grub security situation Thomas Petazzoni via buildroot
@ 2025-05-08 6:27 ` Arnout Vandecappelle via buildroot
2025-05-08 8:11 ` Peter Korsgaard
1 sibling, 0 replies; 6+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2025-05-08 6:27 UTC (permalink / raw)
To: Thomas Petazzoni, buildroot; +Cc: Julien Olivain, Romain Naour, Thomas Perale
On 07/05/2025 23:19, Thomas Petazzoni wrote:
> Hello,
>
> The latest pkg-stats scan reported to me a number of grub2 security
> issues:
>
> grub2 | CVE-2024-45778 | https://security-tracker.debian.org/tracker/CVE-2024-45778
> grub2 | CVE-2024-45782 | https://security-tracker.debian.org/tracker/CVE-2024-45782
> grub2 | CVE-2024-45779 | https://security-tracker.debian.org/tracker/CVE-2024-45779
> grub2 | CVE-2024-45780 | https://security-tracker.debian.org/tracker/CVE-2024-45780
> grub2 | CVE-2025-0678 | https://security-tracker.debian.org/tracker/CVE-2025-0678
>
> Looking at that in some details, there are in fact a LOT more CVEs:
>
> https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
>
> Many of them are not reported by pkg-stats because NVD has not
> annotated those CVEs (meh).
>
> Now when it becomes a bit tricky is that those CVEs are fixed by 73
> patches. All of them have been applied upstream, but they are
> apparently not trivial to backport on grub 2.12.
>
> See Arch people complaining here:
>
> https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00124.html
> https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00098.html
>
> There are currently 284 commits in grub's master on top of the 2.12
> version we're using. Backporting the 73 patches fixing the security
> issues seems complicated,
Debian trixie also has 2.12, and there are 71 patches there [1]. So perhaps
tracking Debian is an option? I think we used to do that for grub before:
GRUB_SOURCE = grub_$(GRUB_VERSION).orig.tar.gz
GRUB_PATCH = grub_$(GRUB_VERSION)-68.diff.gz
GRUB_SITE =
http://snapshot.debian.org/archive/debian/20141023T043132Z/pool/main/g/grub
Regards,
Arnout
[1]
https://salsa.debian.org/grub-team/grub/-/tree/master/debian/patches/cve-2025-jan?ref_type=heads
> and having all 284 commits as patches in
> Buildroot also seems not very practical.
>
> So the only solution that I can see right now is to used grub's master
> branch (of course with a fixed commit). Of course, for 2025.02, this
> means we would bump grub to a newer version that not only has security
> fixes, but also a whole bunch of other random changes. But that's how
> grub is maintained, and I'm not sure what we can do about it.
>
> Opinions? Thoughts? Suggestions?
>
> Thomas
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] Grub security situation
2025-05-07 21:19 [Buildroot] Grub security situation Thomas Petazzoni via buildroot
2025-05-08 6:27 ` Arnout Vandecappelle via buildroot
@ 2025-05-08 8:11 ` Peter Korsgaard
2025-05-08 8:22 ` James Hilliard
1 sibling, 1 reply; 6+ messages in thread
From: Peter Korsgaard @ 2025-05-08 8:11 UTC (permalink / raw)
To: Thomas Petazzoni; +Cc: Julien Olivain, Romain Naour, Thomas Perale, buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
Hi,
> So the only solution that I can see right now is to used grub's master
> branch (of course with a fixed commit). Of course, for 2025.02, this
> means we would bump grub to a newer version that not only has security
> fixes, but also a whole bunch of other random changes. But that's how
> grub is maintained, and I'm not sure what we can do about it.
> Opinions? Thoughts? Suggestions?
It sucks, but grub2 doesn't seem very alive and well maintained nowdays.
From the mails above it sounded like the current git version had some
regressions compared to 2.12, so using git doesn't sound that great.
Arnouts suggestion about piggy banking on Debian could be an option, or
alternatively we could simply drop grub2? With EFI I guess there is less
need for grub2 anyway?
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Buildroot] Grub security situation
2025-05-08 8:11 ` Peter Korsgaard
@ 2025-05-08 8:22 ` James Hilliard
2025-05-08 14:29 ` Lance Fredrickson
0 siblings, 1 reply; 6+ messages in thread
From: James Hilliard @ 2025-05-08 8:22 UTC (permalink / raw)
To: Peter Korsgaard
Cc: Thomas Petazzoni, Julien Olivain, Romain Naour, Thomas Perale,
buildroot
On Thu, May 8, 2025 at 2:11 AM Peter Korsgaard <peter@korsgaard.com> wrote:
>
> >>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
>
> Hi,
>
> > So the only solution that I can see right now is to used grub's master
> > branch (of course with a fixed commit). Of course, for 2025.02, this
> > means we would bump grub to a newer version that not only has security
> > fixes, but also a whole bunch of other random changes. But that's how
> > grub is maintained, and I'm not sure what we can do about it.
>
> > Opinions? Thoughts? Suggestions?
>
> It sucks, but grub2 doesn't seem very alive and well maintained nowdays.
> From the mails above it sounded like the current git version had some
> regressions compared to 2.12, so using git doesn't sound that great.
>
> Arnouts suggestion about piggy banking on Debian could be an option, or
> alternatively we could simply drop grub2? With EFI I guess there is less
> need for grub2 anyway?
Probably just best to keep the package and just mark it as having some
known security issues.
I'm assuming these are security issues that are in most cases relatively
unlikely to be exploited in practice.
>
> --
> Bye, Peter Korsgaard
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-05-08 21:39 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-07 21:19 [Buildroot] Grub security situation Thomas Petazzoni via buildroot
2025-05-08 6:27 ` Arnout Vandecappelle via buildroot
2025-05-08 8:11 ` Peter Korsgaard
2025-05-08 8:22 ` James Hilliard
2025-05-08 14:29 ` Lance Fredrickson
2025-05-08 21:38 ` Waldemar Brodkorb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.