Am Dienstag, den 25.08.2009, 01:58 +0200 schrieb Vladimir 'phcoder' Serbinenko: > On Tue, Aug 25, 2009 at 12:36 AM, Robert Millan<r...@aybabtu.com> > wrote: > > > > I had a look at grub_cmdline_get(), and it would need some > restructuring in > > order not to enforce static allocation. I admit it doesn't make > sense to > > put this patch on hold because of it. > > > > Vladimir, please go ahead with your latest patch. I will try to > change > > grub_cmdline_get() semantics later if I get some time. > > > Comitted. Beware that it needs more review and testing before > considering it somewhat secure (well we don't really need to be more > secure than firmware password unless we're firmware). > Additionally using plaintext support (currently the only supported) is > a bad practise. I'll look if I have time to implement a form of > cryptographic password (e.g. scrypt) before 1.97 freeze.
Does it has the same problem as CVE-2008-3896 published for grub-legacy? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3896 -- Felix Zielcke Proud Debian Maintainer _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org http://lists.gnu.org/mailman/listinfo/grub-devel
