Re: Imminent bugfix release (1.97.1)

[Vladimir 'phcoder' Serbinenko]

Bean wrote:
> On Mon, Nov 9, 2009 at 9:04 AM, Robert Millan <address@hidden> wrote:
>   
>> A security problem [1] was found in our password-checking routines,
>> which affects GRUB 1.97.  I'll be releasing 1.97.1 tomorrow.
>>
>> Additionally, I cherry-picked fixes for a few problems that should
>> have made it to the release, like GNU/Hurd support (see NEWS file
>> for details).  The release branch is available in:
>>
>>  sftp://bzr.savannah.gnu.org/srv/bzr/grub/branches/release_1_97/
>>
>> If you have time, please test this tree, specially password support,
>> to help find possible problems.
>>     
>
> Hi,
>
> Actually, the function of grub_auth_strcmp puzzles me, why would it
> need to wait 100 ms to return the result ? 
10 ms actually. The goal is to take same amount of time indpendently of
input values. But probably the delay should be around whole thing and
it's how I'll do but for this urgent release this will do it
> grub_auth_strcmp is used in
> many place, so the authorized could take some time to complete. And
> there is a hidden issue in it, grub_auth_strcmp can accept NULL
> pointer as input, but grub_strcmp doesn't check for NULL pointer.
>
>   
Current codebase didn't use it


-- 
Regards
Vladimir 'phcoder' Serbinenko

signature.asc
Description: OpenPGP digital signature