StarlingX

[Debian] CVE: CVE-2022-2601/CVE-2022-3775: grub2: multiple CVEs

Bug #2020730 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Li Zhou

Bug Description

CVE-2022-2601: https://nvd.nist.gov/vuln/detail/CVE-2022-2601

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

CVE-2022-3775: https://nvd.nist.gov/vuln/detail/CVE-2022-3775

When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

Base Score: High

References:

It is a source package in integ repositoriy

https://www.debian.org/security/2022/dsa-5280

grub2_2.06-3~deb11u4

CVE References

Yue Tao (wrytao)
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
tags: added: stx.9.0 stx.security
Li Zhou (lzhou2)
Changed in starlingx:
assignee: nobody → Li Zhou (lzhou2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/885008

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/885008
Committed: https://opendev.org/starlingx/integ/commit/d10d6fb1870c09bebb2a39e644c0edcbc26999b3
Submitter: "Zuul (22348)"
Branch: master

commit d10d6fb1870c09bebb2a39e644c0edcbc26999b3
Author: Li Zhou <email address hidden>
Date: Tue May 30 16:49:58 2023 +0800

    grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775

    Porting patches from grub2_2.06-3~deb11u4 to fix
    CVE-2022-2601/CVE-2022-3775.

    The source code of grub2_2.06-3~deb11u4 is from:
    https://snapshot.debian.org/archive/debian/20221124T030451Z/
    pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz

    Refer to above source code and this link for the fix:
    https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html

    The 1st patch in the list is for making proper context for the 14
    patches of the 2 CVEs. No content changes for all the patches from
    debian release.

    We do this because grub2/grub-efi is ported from wrlinux for
    secure boot bringing up.

    Test plan:
     - PASS: build grub2/grub-efi.
     - PASS: build-image and install and boot up on lab/qemu.
     - PASS: check that the "stx.N" version number is right for both
             bios(grub2 ver) and uefi(grub-efi ver) boot.

    Closes-bug: 2020730

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.