Embed Notice
HTML Code
Corresponding Notice
- Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Friday, 04-Apr-2025 15:21:14 JST 翠星石
@hfaust Of course they never name the GNU (there would be no mention of GNU if it wasn't for the 2 gnu.org URLs).
>extend our analysis to other bootloaders like U-boot and Barebox, which share code with GRUB2
Considering you cannot combine GPLv3-or-later with GPLv2-only, this doesn't seem correct.
They also write about "saving a weeks worth of time", but they've clearly wasted more than a weeks worth of time filing pointless CVEs (which are only useful if you want to embarrass a proprietary software developer into fixing bugs).
>The dangers of a GRUB2
>Since bootloaders run before operating systems run
Of course it's sooo dangerous to run GRUB and GRUB isn't an OS.
If you want NX, ASLR, pointer authentication or stack cookies/canaries, it's simply a matter of enabling that in GCC or implementing it in the GRUB OS.
>Suggestion of completely junk integer overflow detection like; if (size + 1 < size)
It looks convincing, but those sort of checks *do not work*.
The only working way to detect integer overflow is to use a compiler built-in like; __builtin_add_overflow https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html
https://git.savannah.gnu.org/cgit/grub.git/tree/include/grub/safemath.h#n29