[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: grub2 CVEs



Hi,

On Thu, Mar 04, 2021 at 02:21:04PM +0100, Sylvain Beucler wrote:
> Are CVE-2021-20225 and CVE-2021-20233 specific to SecureBoot?

They are only non-negligligible in SecureBoot context, or put
otherwise without SecureBoot grub there is not crossing any reasonable
trust boundary here. The short option parser issue for instance: An
attacker able to trigger a search "search -hhhhhhhhhhhhhf" can do much
more already without this issue in non-SB context. Similarly for the
menuentry command issue.

Regards,
Salvatore


Reply to: