[Git][security-tracker-team/security-tracker][master] Update information on CVE-2020-15705 with (hopefully enough) detailed clarification

Salvatore Bonaccorso carnil at debian.org
Mon Aug 10 06:43:26 BST 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3ef7c83c by Salvatore Bonaccorso at 2020-08-10T07:42:09+02:00
Update information on CVE-2020-15705 with (hopefully enough) detailed clarification

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3678,8 +3678,12 @@ CVE-2020-15706 (GRUB2 contains a race condition in grub_script_function_create()
 	NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3
 	NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=426f57383d647406ae9c628c472059c27cd6e040
 CVE-2020-15705 (GRUB2 fails to validate kernel signature when booted directly without  ...)
-	- grub2 <unfixed> (unimportant)
-	NOTE: Issue does not affect standard SB Debian setup.
+	- grub2 <not-affected> (Vulnerable code specific in Ubuntu)
+	NOTE: Debian's grub_linuxefi_secure_validate has different interface than the one in
+	NOTE: Ubuntu and returns the code from "shim not available" and "kernel signature
+	NOTE: verification failed". The patch for CVE-2020-15705 is essentially about handling
+	NOTE: those two cases in the same way when they were previously handled differently,
+	NOTE: and so not a problem for src:grub2 in Debian.
 	NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3
 CVE-2020-15704 [ppp ZDI-CAN-11504]
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ef7c83cedfeaa21c0a1cf8f61e3196170550889

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ef7c83cedfeaa21c0a1cf8f61e3196170550889
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200810/920baf33/attachment.html>

More information about the debian-security-tracker-commits mailing list