Has Grub2 been updated for boothole related issues?

mkgscott · August 8, 2020, 4:12pm

I haven’t been able to find if the boothole and related issues have been fixed for Fedora. Grub2 for CentOS seems to have been fixed (https://pkgs.org/). However, I don’t think the same update is available for Fedora. Also, Debian and Ubuntu have a detailed page on this issue, its effect and how it needs to be fixed. I haven’t come across anything like this for Fedora. Is something like that available?

mkgscott · August 11, 2020, 5:29am

If I am not wrong Grub2 still hasn’t been updated on Fedora (https://fedora.pkgs.org/32/fedora-aarch64/grub2-common-2.04-12.fc32.noarch.rpm.html). I was going to switch from Pop OS to Fedora, but I decided to wait until this whole issue stabilizes. Is the update in the pipeline? Or I am looking at something different.

vgaetera · August 11, 2020, 12:08pm

It looks like the Boot Hole Vulnerability aka CVE-2020-10713 is just one of the recently reported bunch of CVE issues.

lcts · August 11, 2020, 12:16pm

Hi @mkgscott & welcome to the community.

A fix for this appears to be in 2.04-27 (Check CVEs in the Changelog section), which isn’t in the repos yet. We’re in the middle of rebuilds/branching etc. in preparation for the F33 release, so I don’t know when this update will be released to the repositories - but likely soon.

Regarding more information about this issue, you can check out the RedHat vulnerability site for this issue.

mkgscott · August 11, 2020, 4:28pm

Thanks for the answer. It clarifies the situation for me.

This is really helpful.

mkgscott · August 17, 2020, 3:45pm

I was going through the 2.04-27 changelogs. It says “minor” bug fixes for
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707
Everyone made a big issue about all these vulnerabilities. I get that you need either physical or root access to exploit them. But I am confused why these are considered as “minor” updates when other distros are treating them as critical vulnerabilities?

carlwgeorge · August 17, 2020, 3:45pm

The build containing the fix will vary between Fedora releases. 2.04-27 is correct for Fedora 33, but in Fedora 32 the fix is in 2.04-22.

lcts · August 17, 2020, 5:14pm

You’d have to ask the maintainer of the grub2 package about that, but if I had to guess, I’d take the ‘minor’ to refer to the scale of the changes (i.e. doesn’t significantly impact user experience), rather than their importance. In any case, this is just the description the maintainer chose to give in the update, it has no impact on how quickly the fixes will available in the repositories.