• Bug#1105108: grub2: CVE-2025-4382

    From Salvatore Bonaccorso@21:1/5 to All on Sun May 11 14:20:01 2025
    Source: grub2
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for grub2.

    CVE-2025-4382[0]:
    | A flaw was found in systems utilizing LUKS-encrypted disks with GRUB
    | configured for TPM-based auto-decryption. When GRUB is set to
    | automatically decrypt disks using keys stored in the TPM, it reads
    | the decryption key into system memory. If an attacker with physical
    | access can corrupt the underlying filesystem superblock, GRUB will
    | fail to locate a valid filesystem and enter rescue mode. At this
    | point, the disk is already decrypted, and the decryption key remains
    | loaded in system memory. This scenario may allow an attacker with
    | physical access to access the unencrypted data without any further
    | authentication, thereby compromising data confidentiality.
    | Furthermore, the ability to force this state through filesystem
    | corruption also presents a data integrity concern.

    The fix depends code on introducing as well code introduced later to
    be able to block command line interface at build time, but my
    understanding would be that it is present before?

    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-4382
    https://www.cve.org/CVERecord?id=CVE-2025-4382
    [1] https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=c448f511e74cb7c776b314fcb7943f98d3f22b6d

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)