Headline
CVE-2020-14309: Integer overflow in grub_squash_read_symlink may lead to heap-based buffer overflow
There’s an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data.
Description Marco Benatto 2020-06-29 15:33:00 UTC
Integer overflow in grub_squash_read_symlink triggered by a specially crafted squashfs filesystem containing a symlink inode with a name length of UINT32, which leads to a zero-sized allocation and subsequent heap buffer overflow with attacker controlled data.
Comment 2 Marco Benatto 2020-07-07 15:30:11 UTC
Acknowledgments:
Name: Chris Coulson (Ubuntu Security Team)
Comment 12 errata-xmlrpc 2020-08-03 11:14:09 UTC
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support
Via RHSA-2020:3275 https://access.redhat.com/errata/RHSA-2020:3275
Comment 14 errata-xmlrpc 2020-08-03 12:02:36 UTC
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support
Via RHSA-2020:3276 https://access.redhat.com/errata/RHSA-2020:3276
Comment 16 Marco Benatto 2020-08-03 13:45:40 UTC
Created grub2 tracking bugs for this issue:
Affects: fedora-all [bug 1863019]