Your submission was sent successfully! Close

CVE-2020-14310

Published: 29 July 2020

There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

From the Ubuntu security team

Chris Coulson discovered that multiple integer overflows existed in GRUB2 when handling certain filesystems or font files, leading to heap-based buffer overflows. A local attacker could use these to execute arbitrary code and bypass UEFI Secure Boot restrictions.

Notes

AuthorNote
amurray
grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low
Priority

High

CVSS 3 base score: 5.7

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
bionic
Released (2.02-2ubuntu8.16)
focal
Released (2.04-1ubuntu26.1)
groovy Not vulnerable
(2.04-1ubuntu26.1)
hirsute Not vulnerable
(2.04-1ubuntu26.1)
precise Ignored
(end of ESM support, was needed)
trusty
Released (2.02~beta2-9ubuntu1.20)
upstream Needs triage

xenial
Released (2.02~beta2-36ubuntu3.26)
grub2-signed
Launchpad, Ubuntu, Debian
bionic
Released (1.93.18)
eoan Ignored
(reached end-of-life)
focal
Released (1.142.3)
groovy Not vulnerable
(1.147)
hirsute Not vulnerable
(1.147)
precise Does not exist

trusty
Released (1.34.22)
upstream Needs triage

xenial
Released (1.66.26)