package/boot/grub2/patches/300-CVE-2015-8370.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Hector Marco-Gisbert <hecmargi@upv.es>
   3 Date: Fri, 13 Nov 2015 16:21:09 +0100
   4 Subject: [PATCH] Fix security issue when reading username and password
   5
   6   This patch fixes two integer underflows at:
   7     * grub-core/lib/crypto.c
   8     * grub-core/normal/auth.c
   9
  10 Resolves: CVE-2015-8370
  11
  12 Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
  13 Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
  14 ---
  15  grub-core/lib/crypto.c  | 2 +-
  16  grub-core/normal/auth.c | 2 +-
  17  2 files changed, 2 insertions(+), 2 deletions(-)
  18
  19 --- a/grub-core/lib/crypto.c
  20 +++ b/grub-core/lib/crypto.c
  21 @@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned
  22           break;
  23         }
  24
  25 -      if (key == '\b')
  26 +      if (key == '\b' && cur_len)
  27         {
  28           if (cur_len)
  29             cur_len--;
  30 --- a/grub-core/normal/auth.c
  31 +++ b/grub-core/normal/auth.c
  32 @@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned
  33           break;
  34         }
  35
  36 -      if (key == '\b')
  37 +      if (key == '\b' && cur_len)
  38         {
  39           if (cur_len)
  40             {