[Bug 644206] Re: update-grub should not automatically configure booting from removable devices?

Marcus Tomlinson marcus.tomlinson at canonical.com
Thu Mar 5 12:35:58 UTC 2020 

This release of Ubuntu is no longer receiving maintenance updates. If
this is still an issue on a maintained version of Ubuntu please let us
know.

** Changed in: grub2 (Ubuntu)
       Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/644206

Title:
  update-grub should not automatically configure booting from removable
  devices?

Status in grub2 package in Ubuntu:
  Incomplete

Bug description:
  Binary package hint: grub2

  Affected: 1.98+20100804-4ubuntu6

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID:	Ubuntu
  Description:	Ubuntu maverick (development branch)
  Release:	10.10
  Codename:	maverick

  
  Totally by coincidence, I ran apt-get upgrade with a random card in a card reader.

  The card had a maverick chroot on it (for a foreign architecture, so
  totally unbootable...)

  Look what happens:

  # update-grub
  Generating grub.cfg ...
  Found linux image: /boot/vmlinuz-2.6.35-22-generic
  Found initrd image: /boot/initrd.img-2.6.35-22-generic
  Found memtest86+ image: /boot/memtest86+.bin
  Found memtest86+ multiboot image: /boot/memtest86+_multiboot.bin
  Found Ubuntu maverick (development branch) (10.10) on /dev/sdg2
  done
  # cat /sys/block/sdg/removable
  1

  Even more surprising, when I rebooted, grub popped up a boot menu
  giving me a chance to boot that removable device (which happened to be
  still plugged in).

  I would question whether a removable device should be magically added
  to the boot device list when running update-grub.

  For automated upgrades, magically adding random devices which aren't
  part of the installation to the boot list seems undesirable/unuseful
  at best.  At worst, it's a security hole, though probably not very
  practical to exploit - there are ways an attacker could trick a naive
  user into setting up a removable device with a poisoned image and then
  triggering (or simply waiting for) a package update. I don't know
  whether there's an easy way to cause the new device to be the default,
  but it might be possible--- I'll leave others to judge.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/644206/+subscriptions

More information about the foundations-bugs mailing list