#1102217 grub2: CVE-2024-56738

Package:
src:grub2
Source:
src:grub2
Submitter:
Salvatore Bonaccorso
Date:
2025-05-02 14:36:02 UTC
Severity:
normal
Tags:
#1102217#5
Date:
2025-04-06 14:08:49 UTC
From:
To:
Hi,

The following vulnerability was published for grub2.

CVE-2024-56738[0]:
| GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time
| algorithm for grub_crypto_memcmp and thus allows side-channel
| attacks.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-56738
https://www.cve.org/CVERecord?id=CVE-2024-56738
[1] https://savannah.gnu.org/bugs/?66603
[2] https://bugzilla.suse.com/show_bug.cgi?id=1234959#c2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1102217#10
Date:
2025-05-01 05:07:03 UTC
From:
To:
Hi Mostafa,

TTBOMK, this has not yet been fixed upstream itself and the upstream
bug https://savannah.gnu.org/bugs/?66603 is not yet acted on, is this
correct?

Is this correct?

If so I think the first step would be to make it accepted upstream
change at which point it can flow down to Debian as well.

Can you ping upstream on the upstream status (and report back to us as
well?). Ideally by including again the bugreport #1102217 in Debian.

Regards,
Salvatore
#1102217#15
Date:
2025-05-02 14:32:47 UTC
From:
To:
Hi Salvatore,

Following up on your request, I checked the upstream GRUB bug report for this issue: https://savannah.gnu.org/bugs/?66603

The bug is still open. A maintainer (Vladimir Serbinenko)  commented in December 2024 about a plan to switch to libgcrypt functions, but there hasn't been recent activity.

I have added a comment to the upstream bug report asking for an update on the libgcrypt plan and whether applying the direct constant-time fix (similar to the one proposed upstream and the patch I submitted here) would be acceptable in the meantime, given the ongoing impact on Debian.

I will report back here if there are further updates from upstream.

Thanks,
Mostafa


TTBOMK, this has not yet been fixed upstream itself and the upstream
bug https://savannah.gnu.org/bugs/?66603 is not yet acted on, is this
correct?

Is this correct?

If so I think the first step would be to make it accepted upstream
change at which point it can flow down to Debian as well.

Can you ping upstream on the upstream status (and report back to us as
well?). Ideally by including again the bugreport #1102217 in Debian.

Regards,
Salvatore