New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GRUB2 Bootloader Vulnerabilities Expose Millions of Systems to Attacks
A series of critical vulnerabilities have been discovered in GRUB2, the popular boot loader used by many Linux distributions. These flaws could allow attackers to bypass security measures, potentially compromising millions of systems globally.
Daniel Kiper, a GRUB maintainer, recently published a report detailing the vulnerabilities, which range from .... https://securityonline.info/grub2-bootloader-vulnerabilities-expose-millions-of-systems-to-attacks/
Comments
@beanman109 important news dont miss
days ruined now, thanks
seems to be from last week: https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
@allthemtings important news don’t miss
@emgh important new don't miss
@wadhah important news don’t miss
@Blembim important news don't miss
@FAT32 important news don't miss
@admax important news don't miss
@sh97 important news don't miss
@barbaros important news don't miss
But tbh this wont gonna make me restart my relays
How is this remote executable in any way ? Other than you piping to bash some random script that will insert bad .jpeg into grub.cfg ?
Oh I love how the gentlements looking after each other
@Decicus important news don't miss
None of this apply for low end. Even this:
The most severe vulnerability (CVE-2025-0624) introduces the possibility of remote code execution if exploited during a network boot sequence.
If someone is able to intervene with NBS - you are fckd before even GRUB loader initialized. No one cares for low end to exploit these vulns to peak into low enders ISO stuff.
@plumberg important news don't miss
No important news, I will miss
@jbiloh important news don't miss
@FatGrizzly important news don't miss
TL;DR mem allocs not checked, env vars/input not length checked, and plenty integer overflows aka bloody noob or careless idiots errors. Enjoy what the crowd OS has devolved to ...
But hey, there are good news too, that shitfuckery had to be - and has been - made within the frame of woke idiotic code of conduct.
In an interview Torvalds tried to say that linux isn't communist, "it is stupid to say that linux is communist because linux is SCIENCE and science cannot be communist". He has this habit of trying to make his statements look right on the surface, and he might be clever enough to satisfy the inquisitiveness of my distant relative uncle Bubba. But then the bulk of academia is indeed communist and all those papers it produces are expensive toilet paper to fill publishing quotas. However the woke social contracts of linux aren't imposed from above by some dearest great leader, but spontaneously adopted to ease consumption. Ugh.
"Rust will fix this." - current fashionable response to any security incident
Frankly, I don't care for or even listen to him anymore. IMO the decay began to become visible when he made GKH basically his right hand man. Since then steady devolution and increasing wokeness.
Rust can't fix wokeness and idiocy, and btw. it's also harder to master than C.
Sorry for the bad news.
I wonder about that. Admittedly, all I know of rust is reading a tutorial. None of the concepts seemed radically new, if someone knows other programming languages. Perhaps out of the gate, there's more to learn with Rust vs. C. But then, there's also more to implement on your own in C, or seek out in libraries, which is added learning.
You used the verb 'master'. Given all the security bugs that are attributable to poor C programming practice, wouldn't that argue that C is more difficult to master?
Again, not a Rust programmer so I could be completely out to lunch on this.
Just don't ever reboot problem solved
Depends on the perspective. When I say "master" I mean to write roughly equivalent code in terms of quality and speed. At least I personally also find C easier because it's conceptually easier (basically it's goal was to create "portable assembly code") while Rust may look somewhat similar but actually is an entirely different beast, and as far as I'm concerned, a non-satisfactory approach. If one really and seriously is concerned about safety (as I often have to be) a professional quite likely will choose a more formal approach, beginning with a formal (and verified!) spec (e.g. Alloy, TLA, VDM (my favourite)) and ending with writing the code in ADA.
Btw, probably due to both C's (still) omni-presence and other factors, there do exist diverse formal tools for it which, if applied (and understood) can lead to a C program that is verified to be safe/safer than most Rust code).
IMO the motivation behind Rust mainly is "a cheap way to achieve more safety"[1] albeit AFAIK very rarely formally verified (which is the only ruler to measure safety, everything else is a "better compromise" only. See E. Dijkstra).
1 just look where it comes from. Mozilla. a) a bad omen, and b) a clear hint; they really, really needed safer (as in "less errors/bugs") code from the many programmers they have (or at least had) and who couldn't be bothered to learn and use formal approaches; Rust basically was about "get thousands of programmers to write code that is significantly less buggy and cheaply so".
P.S. oh, and of course cool as well ...
@emgh u have failed to send me news > @yermak said:
@raza19 Is this stupid?
I ignore all security news. All of them. Titles are always so drastic but having updated my software, having a firewall and using SSH keys if my server is vulnerable so is most other servers