Verifying after decompression is a bad security practice. It relies on decompression having no security holes. Given how complex decompression is, this is almost guaranteed to be false. Le mer. 13 mars 2024, 18:08, Ross Lagerwall via Grub-devel < grub-devel@gnu.org> a écrit : > It is convenient and common to have binaries stored in gzip archives > (e.g. xen.gz). Verification should be run after decompression rather > than before so reorder the file filter list as appropriate. > > Signed-off-by: Ross Lagerwall > --- > include/grub/file.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/grub/file.h b/include/grub/file.h > index a5bf3a792d6f..a1ef3582bc7b 100644 > --- a/include/grub/file.h > +++ b/include/grub/file.h > @@ -182,10 +182,10 @@ extern grub_disk_read_hook_t > EXPORT_VAR(grub_file_progress_hook); > /* Filters with lower ID are executed first. */ > typedef enum grub_file_filter_id > { > - GRUB_FILE_FILTER_VERIFY, > GRUB_FILE_FILTER_GZIO, > GRUB_FILE_FILTER_XZIO, > GRUB_FILE_FILTER_LZOPIO, > + GRUB_FILE_FILTER_VERIFY, > GRUB_FILE_FILTER_MAX, > GRUB_FILE_FILTER_COMPRESSION_FIRST = GRUB_FILE_FILTER_GZIO, > GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO, > -- > 2.43.0 > > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >