0-Day GRUB2 Authentication Bypass Hits Linux

prisoninmate writes: A zero-day security flaw was discovered by developers Ismael Ripoll and Hector Marco in the upstream GRUB2 packages. GRUB2 did not correctly handle the backspace key when the bootloader was configured to use password protected authentication, thus allowing a local attacker to bypass GRUB's password protection. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. At the moment, it looks like only a few distributions received the patched GRUB2 versions, including Ubuntu, Debian (Squeeze LTS only) and Red Hat Enterprise Linux 7.

Slackware for the win

[Bob+the+Super+Hamste]

Well Slackware is immune.

Seriously how can a bug like this hang around as basic input validation is something that should be done.

Re:Of course this is security

What if you can't take the machine apart inconspicuously because the case is sealed. What if you have only 3 minutes before someone else comes by? Security is not black and zero at all.

That is like the most contrived example ever. Perhaps you shouldn't take use cases from Hollywood flicks?
We are talking about the boot process, the computer wouldn't be shut down if the user was away for three minutes.
More realistic scenario would be laptop left in hotel room and an option would be to just steal the laptop and have all the time in the world.