/srv/irclogs.ubuntu.com/2024/03/15/#ubuntu-security.txt

=== chris14_ is now known as chris14
=== Juesto is now known as Juest
=== JanC_ is now known as JanC
=== arraybolt3_wc is now known as arraybolt3
arraybolt3	good grief, C is so full of footguns. Alright, that's what I had to say, thank you.	16:55
arraybolt3	(Trying to patch GRUB, and graduated from shell patches to actual bootloader patches. Trying to figure out if my strcpy is going to work without causing a buffer overflow is breaking my brain.	16:56
sdeziel	apparently, that didn't stop them from adding image decoding to GRUB ;)	16:57
arraybolt3	If I survive this without accidentally creating at least one security vulnerability, I'm going to be relieved and slightly surprised.	16:59
arraybolt3	I just hope someone reviews my code really carefully :P	16:59
mdeslaur	we can pre-emptively assign you some CVEs now if you want :)	16:59
arraybolt3	hahahahaha	16:59
arraybolt3	thankfully "all" I have to do is introduce two environment variable lookups and fallbacks, that's it. As long as I can juggle the semantics of `len`, `strcpy`, and `sizeof` without dropping anything, we're good.	17:00
arraybolt3	(you can probably tell I almost never write C code)	17:01
mdeslaur	all 3? without messing up?	17:01
arraybolt3	actually my job may be done, looks like GRUB wisely reuses the open_envblk_file code for both loading and saving the environment block.	17:04
arraybolt3	anyway, if someone does want to see if I've successfully dodged all bullets, this was my patch: https://termbin.com/467u And this is the file after patching: https://termbin.com/cnix Goal - make `load_env` and `save_env` look at the `envpath` environment variable, and open the environment block from that file if the variable is set. Otherwise, fall back to using `prefix` like before.	17:07
mdeslaur	arraybolt3: I'd send your diff to chrisc to review, he's used to looking at grub code	17:14

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!