search

CloverHackyColor / CloverBootloader

Bootloader for macOS, Windows and Linux in UEFI and in legacy mode
BSD 2-Clause "Simplified" License
4.55k stars 619 forks source link

Vulnerable for logofail? #667

Closed technout closed 9 months ago

technout commented 9 months ago

Quick question: Is Clover vulnerable for logofail?

More info: https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/

YBronst commented 9 months ago

Why not? Any attacker can create and distribute a malicious theme for Clover. Users will install it themselves if it looks attractive. Everything we put in UEFI can theoretically overwrite the BIOS. If we can still analyze open source code, then it is unlikely that we can also easily analyze any logo. This applies not only to Clover, but also to OpenCore. And to any third-party bootloader of any OS.It looks like you'll have to give up any hackintoshes, give up graphical excesses, or put up with the threat of outside control. 🤷‍♂️😟

SergeySlice commented 9 months ago

Nonsense. We have own picture parcer which has no vulnerability and will not cause infected code execution.