@hfaust Of course they never name the GNU (there would be no mention of GNU if it wasn't for the 2 gnu.org URLs).

>extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2
Considering you cannot combine GPLv3-or-later with GPLv2-only, this doesn't seem correct.

They also write about "saving a weeks worth of time", but they've clearly wasted more than a weeks worth of time filing pointless CVEs (which are only useful if you want to embarrass a proprietary software developer into fixing bugs).

>The dangers of a GRUB2
>Since bootloaders run before operating systems run
Of course it's sooo dangerous to run GRUB and GRUB isn't an OS.

If you want NX, ASLR, pointer authentication or stack cookies/canaries, it's simply a matter of enabling that in GCC or implementing it in the GRUB OS.

>Suggestion of completely junk integer overflow detection like; if (size + 1 < size)
It looks convincing, but those sort of checks *do not work*.

The only working way to detect integer overflow is to use a compiler built-in like; __builtin_add_overflow https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html

https://git.savannah.gnu.org/cgit/grub.git/tree/include/grub/safemath.h#n29