USN-868-1: GRUB 2 vulnerability

9 December 2009

grub2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10

Software Description

  • grub2


It was discovered that GRUB 2 did not properly validate passwords. An attacker with physical access could conduct a brute force attack and bypass authentication by submitting a 1 character password.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
grub2 - 1.97~beta4-1ubuntu4.1

To update your system, please follow these instructions:

In general, a standard system upgrade is sufficient to effect the necessary changes.

Users who have upgraded from GRUB Legacy to GRUB 2 and did not run ‘upgrade-from-grub-legacy’ (ie those who are still using Grub Legacy to chainload into GRUB 2) will have to run the following command (possibly adjusting ‘hd0’) to update GRUB 2’s on disk core image:

$ sudo grub-install –no-floppy –grub-setup=/bin/true “(hd0)”