From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with archive (Exim 4.43)
	id 1N7UeB-0003p5-Ae
	for mharc-grub-devel@gnu.org; Mon, 09 Nov 2009 08:51:07 -0500
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1N7Ue8-0003nK-0B
	for grub-devel@gnu.org; Mon, 09 Nov 2009 08:51:04 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1N7Ue2-0003kV-Jz
	for grub-devel@gnu.org; Mon, 09 Nov 2009 08:51:03 -0500
Received: from [199.232.76.173] (port=38069 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1N7Ue2-0003kP-FM
	for grub-devel@gnu.org; Mon, 09 Nov 2009 08:50:58 -0500
Received: from mail-ew0-f228.google.com ([209.85.219.228]:56444)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <phcoder@gmail.com>) id 1N7Ue1-0006Jm-Sz
	for grub-devel@gnu.org; Mon, 09 Nov 2009 08:50:58 -0500
Received: by ewy28 with SMTP id 28so3780038ewy.42
	for <grub-devel@gnu.org>; Mon, 09 Nov 2009 05:50:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:subject:references:in-reply-to
	:x-enigmail-version:content-type;
	bh=CAr1QWkHl1g1Tef/vzvi26j6ToY5zZMA1hXkiLWMQk4=;
	b=ugUbO6+ByvFq4YR6QfPuLSn/J9BiU5cnFRevwG7XoSCVP9uIjjeFdnauYXaXBHYQo8
	RiOn/xAGLnHgnFoGoNkYLZ8b5AKaxeCnViUAbPJeivEZtpiFEc8006PDmH8ipdOEKPlE
	sN2rKgQA9LZxrCuC0h9ct0X9cxkFhmyIyY1nk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject:references
	:in-reply-to:x-enigmail-version:content-type;
	b=FBYdkbGCWfk8mqZBxvvqIB6iuXFo8L8LYRS54/8Hm9/JIU7FFbWxpbEUZlPM1cRMmZ
	SjbMZp0nvgHZ1S6lVjXiuQPcePlFq7+FH5g0kxqPbV/KQuCRZWzfSj574cYDDIALVJ31
	8EC7DuTOaD+mkYbP56yM7jChlzUKSgI7kE0DU=
Received: by 10.213.25.66 with SMTP id y2mr3327037ebb.54.1257774652099;
	Mon, 09 Nov 2009 05:50:52 -0800 (PST)
Received: from debian.bg45.phnet (gprs01.swisscom-mobile.ch [193.247.250.1])
	by mx.google.com with ESMTPS id 7sm6418272eyg.33.2009.11.09.05.50.50
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Mon, 09 Nov 2009 05:50:51 -0800 (PST)
Message-ID: <4AF81E2C.2090700@gmail.com>
Date: Mon, 09 Nov 2009 14:50:36 +0100
From: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090701)
MIME-Version: 1.0
To: The development of GNU GRUB <grub-devel@gnu.org>
References: <20091109010422.GA23417@thorin>
	<ca0f59980911090533r5cb2f242h76b0f78437891ea9@mail.gmail.com>
In-Reply-To: <ca0f59980911090533r5cb2f242h76b0f78437891ea9@mail.gmail.com>
X-Enigmail-Version: 0.95.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature";
	boundary="------------enigAF28E2E9FB1E78BD1F4849E6"
X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6 (newer, 2)
Subject: Re: Imminent bugfix release (1.97.1)
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: The development of GNU GRUB <grub-devel@gnu.org>
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/grub-devel>,
	<mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 13:51:04 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigAF28E2E9FB1E78BD1F4849E6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Bean wrote:
> On Mon, Nov 9, 2009 at 9:04 AM, Robert Millan <rmh@aybabtu.com> wrote:
>  =20
>> A security problem [1] was found in our password-checking routines,
>> which affects GRUB 1.97.  I'll be releasing 1.97.1 tomorrow.
>>
>> Additionally, I cherry-picked fixes for a few problems that should
>> have made it to the release, like GNU/Hurd support (see NEWS file
>> for details).  The release branch is available in:
>>
>>  sftp://bzr.savannah.gnu.org/srv/bzr/grub/branches/release_1_97/
>>
>> If you have time, please test this tree, specially password support,
>> to help find possible problems.
>>    =20
>
> Hi,
>
> Actually, the function of grub_auth_strcmp puzzles me, why would it
> need to wait 100 ms to return the result ?=20
10 ms actually. The goal is to take same amount of time indpendently of
input values. But probably the delay should be around whole thing and
it's how I'll do but for this urgent release this will do it
> grub_auth_strcmp is used in
> many place, so the authorized could take some time to complete. And
> there is a hidden issue in it, grub_auth_strcmp can accept NULL
> pointer as input, but grub_strcmp doesn't check for NULL pointer.
>
>  =20
Current codebase didn't use it


--=20
Regards
Vladimir 'phcoder' Serbinenko



--------------enigAF28E2E9FB1E78BD1F4849E6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iF4EAREKAAYFAkr4HjkACgkQNak7dOguQgnB1gD/SmGQiNAcRcXnpbrgxSN2hv9z
UiM4/mQDfjz1xmhlXoABALuhwJDQu9EDk9i10cdCs5jKfBz8hNENvKa9di2gosM+
=NBYH
-----END PGP SIGNATURE-----

--------------enigAF28E2E9FB1E78BD1F4849E6--