This patch for Grub2 fixes CVE-2015-8370 [0][1]. The source of the patch is [0].
One thing to note is that there doesn't seem to be any response from upstream, yet. However, at least some distros are applying the patch [2][3]. AFAIK, GuixSD doesn't support authenticated Grub yet, so this vulnerability doesn't manifest itself. Because of this, I did not test if the patch fixes the bug. I did test that Grub works as expected with the patch applied. If I'm wrong, and it's possible to set up authenticated Grub on GuixSD, I can test that, too. I tested this patch on bare-metal i686, like this: 0) Installed GuixSD on i686 laptop. 1) Cloned Guix source tree and built Guix. 2) Applied this patch, and built Grub as a sanity check. `./pre-inst-env guix build grub` 3) Reconfigured the system against the source tree. `./pre-inst-env guix system reconfigure config.scm` 4) Successfully rebooted several times into different generations of the system. [0] http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html [1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8370 [2] Select "Fedora 23" from the "RELEASE" menu: https://apps.fedoraproject.org/packages/grub2/sources/spec/ [3] See "changelog": https://packages.qa.debian.org/g/grub2.html Leo Famulari (1): gnu: grub: Add fix for CVE-2015-8730. gnu/packages/grub.scm | 4 ++- gnu/packages/patches/grub-CVE-2015-8370.patch | 45 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/grub-CVE-2015-8370.patch -- 2.6.2
