Re: [PATCH 7/7] verifiers: Verify after decompression

2024-03-28 Thread Ross Lagerwall via Grub-devel
On Fri, Mar 15, 2024 at 7:26 AM Vladimir 'phcoder' Serbinenko wrote: > > Verifying after decompression is a bad security practice. It relies on > decompression having no security holes. Given how complex decompression is, > this is almost guaranteed to be false. > Point taken... I'll drop this

Re: [PATCH 7/7] verifiers: Verify after decompression

2024-03-15 Thread Vladimir 'phcoder' Serbinenko
Verifying after decompression is a bad security practice. It relies on decompression having no security holes. Given how complex decompression is, this is almost guaranteed to be false. Le mer. 13 mars 2024, 18:08, Ross Lagerwall via Grub-devel < grub-devel@gnu.org> a écrit : > It is convenient a

Re: [PATCH 7/7] verifiers: Verify after decompression

2024-03-14 Thread Michael Chang via Grub-devel
On Wed, Mar 13, 2024 at 03:07:48PM +, Ross Lagerwall via Grub-devel wrote: > It is convenient and common to have binaries stored in gzip archives > (e.g. xen.gz). Verification should be run after decompression rather > than before so reorder the file filter list as appropriate. The proposed ch

[PATCH 7/7] verifiers: Verify after decompression

2024-03-13 Thread Ross Lagerwall via Grub-devel
It is convenient and common to have binaries stored in gzip archives (e.g. xen.gz). Verification should be run after decompression rather than before so reorder the file filter list as appropriate. Signed-off-by: Ross Lagerwall --- include/grub/file.h | 2 +- 1 file changed, 1 insertion(+), 1 de