GRUB Security Exploit

A GRUB boot loader security flaw was announced around the web. Major distro maintainers hastily released patches.

The patches caused many systems to fail to boot. Rather than boot normally the computer drops to a GRUB rescue prompt with the error message symbol "grub_calloc" not found.

The hasty patch failure affected at least Debian, Ubuntu, and Red Hat/CentOS systems.

Likely not all computers are affected, but I confirmed the failure on two Debian systems. Neither system is using secure boot or EFI. Forums online are filled with similar reports.

Fortunately at work I hadn’t updated any servers.

Why were these GRUB patches released without testing? Hastily releasing a patch was in poor judgment because exploiting the flaw requires access to the computer and admin privileges. Upstream folks did not need to rush.

At all.

Perhaps the hasty behavior was caused by people tempted by the lure of modern day knee-jerk public relations (PR) and click-bait headlines. “Patch now!” “Update now!”

Posted: July 31, 2020 Category: Usability Tagged: General

Next: Security Exploits and Click-Bait Headlines

Previous: A Monkey Off the Back