Bug#614686: extlinux-install: wrong mbr boot loader size used, which is dangerous

Tue, 22 Feb 2011 15:18:23 -0800 

Package: extlinux
Version: 2:4.02+dfsg-7
Severity: important


Hi,

after upgrading to squeeze and installing the new extlinux package I
stumbled upon the following:

server:~# grep ^dd /usr/sbin/extlinux-install
dd if="${_DEVICE}" of=/boot/mbr-$(basename "${_DEVICE}").old bs=466 count=1 2> 
/dev/null
dd if=/usr/lib/extlinux/mbr.bin of="${_DEVICE}" bs=466 count=1 2> /dev/null
server:~# ls -l /usr/lib/extlinux/mbr.bin
-rw-r--r-- 1 root root 440 Oct 14 23:19 /usr/lib/extlinux/mbr.bin

As far as I know the MBR contains 440 bytes boot loader, followed by 6 bytes
of other stuff, followed by 64 bytes partition table. But extlinux-install
uses dd to copy 466 bytes from the device to an MBR backup file and then
from mbr.bin to the device.

This looks dangerous to me. Maybe dd stops after reaching the end of its
input file mbr.bin, which is only 440 bytes, so the other stuff and the
partition table is not harmed. But still the MBR backup file will contain a
broken partition table. If the user tries to restore the MBR using this
backup and has used fdisk in the meantime bad things will happen.

I think the script extlinux-install should copy only 440 bytes when doing
the backup and when installing the MBR.

Greetings,
Kolja Nowak.



-- System Information:
Debian Release: 6.0
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages extlinux depends on:
ii  debconf [debconf-2.0]         1.5.36.1   Debian configuration management sy
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib

Versions of packages extlinux recommends:
ii  syslinux-common            2:4.02+dfsg-7 collection of boot loaders (common
pn  syslinux-themes-debian     <none>        (no description available)

extlinux suggests no packages.

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to