Hi Salvatore,
Following up on your request, I checked the upstream GRUB bug report for this issue: https://savannah.gnu.org/bugs/?66603 The bug is still open. A maintainer (Vladimir Serbinenko) commented in December 2024 about a plan to switch to libgcrypt functions, but there hasn't been recent activity. I have added a comment to the upstream bug report asking for an update on the libgcrypt plan and whether applying the direct constant-time fix (similar to the one proposed upstream and the patch I submitted here) would be acceptable in the meantime, given the ongoing impact on Debian. I will report back here if there are further updates from upstream. Thanks, Mostafa ________________________________ From: Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> on behalf of Salvatore Bonaccorso <car...@debian.org> Sent: Thursday, May 1, 2025 1:07 AM To: Amin, Mostafa <mostafa.a...@windriver.com> Cc: pkg-grub-de...@alioth-lists.debian.net <pkg-grub-de...@alioth-lists.debian.net>; t...@security.debian.org <t...@security.debian.org>; 1102...@bugs.debian.org <1102...@bugs.debian.org> Subject: Re: CVE-2024-56738: Fix for grub_crypto_memcmp to use constant-time algorithm CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Mostafa, On Tue, Apr 29, 2025 at 04:12:03PM +0000, Amin, Mostafa wrote: > Dear Security team, > > I am submitting a fix for CVE-2024-56738 affecting the GRUB2 package in > Debian. > > Description of the vulnerability: > GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time > algorithm for grub_crypto_memcmp and thus allows side-channel > attacks. The current implementation returns early when a difference > is found, which can lead to timing attacks that reveal information > about the compared data. > > Affected Debian versions: > - bookworm > - bullseye > - trixie/sid > > The fix implements a constant-time comparison algorithm that: > 1. Uses bitwise operations (XOR and OR) instead of conditional branching > 2. Always processes all bytes regardless of whether differences are found > 3. Uses volatile to prevent compiler optimizations that could reintroduce > timing issues > > I've verified that the patch is syntactically correct and implements > proper constant-time comparison according to cryptographic best > practices. > > > I've attached the patch file to this email. TTBOMK, this has not yet been fixed upstream itself and the upstream bug https://savannah.gnu.org/bugs/?66603 is not yet acted on, is this correct? Is this correct? If so I think the first step would be to make it accepted upstream change at which point it can flow down to Debian as well. Can you ping upstream on the upstream status (and report back to us as well?). Ideally by including again the bugreport #1102217 in Debian. Regards, Salvatore
