Update information on CVE-2020-15705 with (hopefully enough) detailed clarification

author: Salvatore Bonaccorso <carnil@debian.org> 2020-08-10 07:42:09 +0200
committer: Salvatore Bonaccorso <carnil@debian.org> 2020-08-10 07:42:09 +0200
commit: 1df18f7e0909dea09509f40fae94c2d826cf1892 (patch)
tree: 871e7e8253f7ccb654f2b31260dc297116f9f3e4
parent: b35a6fd4d1f6d2fa644e4c5d87f2a5d2b0bf4c1b (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/data/CVE/list.2020 b/data/CVE/list.2020
index aaf7125408..78e3679c60 100644
--- a/data/CVE/list.2020
+++ b/data/CVE/list.2020
@@ -3660,8 +3660,12 @@ CVE-2020-15706 (GRUB2 contains a race condition in grub_script_function_create()
 	NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3
 	NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=426f57383d647406ae9c628c472059c27cd6e040
 CVE-2020-15705 (GRUB2 fails to validate kernel signature when booted directly without  ...)
-	- grub2 <unfixed> (unimportant)
-	NOTE: Issue does not affect standard SB Debian setup.
+	- grub2 <not-affected> (Vulnerable code specific in Ubuntu)
+	NOTE: Debian's grub_linuxefi_secure_validate has different interface than the one in
+	NOTE: Ubuntu and returns the code from "shim not available" and "kernel signature
+	NOTE: verification failed". The patch for CVE-2020-15705 is essentially about handling
+	NOTE: those two cases in the same way when they were previously handled differently,
+	NOTE: and so not a problem for src:grub2 in Debian.
 	NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3
 CVE-2020-15704 [ppp ZDI-CAN-11504]
 	RESERVED
author	Salvatore Bonaccorso <carnil@debian.org>	2020-08-10 07:42:09 +0200
committer	Salvatore Bonaccorso <carnil@debian.org>	2020-08-10 07:42:09 +0200
commit	1df18f7e0909dea09509f40fae94c2d826cf1892 (patch)
tree	871e7e8253f7ccb654f2b31260dc297116f9f3e4
parent	b35a6fd4d1f6d2fa644e4c5d87f2a5d2b0bf4c1b (diff)