CVE-2009-4128

Published: 1 December 2009

GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted portion of a password with the actual password, which makes it easier for physically proximate attackers to conduct brute force attacks and bypass authentication by submitting a password whose length is 1.

Notes

Author	Note
mdeslaur	grub2 only

Priority

Status

Package	Release	Status
grub2 Launchpad, Ubuntu, Debian	dapper	Not vulnerable (code-not-present)
	hardy	Not vulnerable (code-not-present)
	intrepid	Not vulnerable (code-not-present)
	jaunty	Not vulnerable (code-not-present)
	karmic	Released (1.97~beta4-1ubuntu4.1)
	upstream	Pending (1.97+experimental.20091110-1)

References

https://ubuntu.com/security/notices/USN-868-1
https://www.cve.org/CVERecord?id=CVE-2009-4128
NVD
Launchpad
Debian

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555195

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›