USN-868-1: GRUB 2 vulnerability
Ubuntu Security Notice USN-868-1 December 09, 2009
grub2 vulnerability
CVE-2009-4128
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
grub2 1.97~beta4-1ubuntu4.1
In general, a standard system upgrade is sufficient to effect the necessary
changes.
Users who have upgraded from GRUB Legacy to GRUB 2 and did not run
‘upgrade-from-grub-legacy’ (ie those who are still using Grub Legacy to
chainload into GRUB 2) will have to run the following command (possibly
adjusting ‘hd0′) to update GRUB 2′s on disk core image:
$ sudo grub-install –no-floppy –grub-setup=/bin/true “(hd0)”
Details follow:
It was discovered that GRUB 2 did not properly validate passwords. An
attacker with physical access could conduct a brute force attack and bypass
authentication by submitting a 1 character password.
