Bug 1924696 (CVE-2021-20225)

Summary: CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Javier Martinez Canillas <fmartine>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bootloader-eng-team, fmartine, jhlavac, lkundrak, pjanda, pjones, rhughes, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.06 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2. The option parser allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-03 01:02:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1932793, 1932921, 1932922, 1932923, 1932924, 1932925, 1932926, 1932927, 1932928, 1932929, 1932930, 1932931, 1932932, 1932933, 1932934, 1932935, 1932936, 1932937, 1932938, 1932939, 1932940, 1932941, 1932942, 1932943, 1932944, 1932945, 1932947, 1932948, 1932949, 1932950, 1932951, 1932952, 1932953, 1932954, 1932955, 1932956, 1932957, 1932958, 1932959, 1934251, 1991009, 1991011, 1991012, 1991015, 1991016, 1991018    
Bug Blocks: 1899965    

Description Marco Benatto 2021-02-03 13:26:08 UTC 
The option parser in grub2 allows an attacker to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options.
Comment 3 Marco Benatto 2021-03-02 18:40:44 UTC 
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 1934251]
Comment 4 errata-xmlrpc 2021-03-02 19:17:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0698 https://access.redhat.com/errata/RHSA-2021:0698
Comment 5 errata-xmlrpc 2021-03-02 19:21:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0696 https://access.redhat.com/errata/RHSA-2021:0696
Comment 6 errata-xmlrpc 2021-03-02 19:25:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0697 https://access.redhat.com/errata/RHSA-2021:0697
Comment 7 errata-xmlrpc 2021-03-02 19:36:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0703 https://access.redhat.com/errata/RHSA-2021:0703
Comment 8 errata-xmlrpc 2021-03-02 19:53:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:0704 https://access.redhat.com/errata/RHSA-2021:0704
Comment 9 errata-xmlrpc 2021-03-02 20:09:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0702 https://access.redhat.com/errata/RHSA-2021:0702
Comment 10 errata-xmlrpc 2021-03-02 20:48:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0699 https://access.redhat.com/errata/RHSA-2021:0699
Comment 11 errata-xmlrpc 2021-03-02 20:50:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0700 https://access.redhat.com/errata/RHSA-2021:0700
Comment 12 errata-xmlrpc 2021-03-02 21:01:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0701 https://access.redhat.com/errata/RHSA-2021:0701
Comment 13 Product Security DevOps Team 2021-03-03 01:02:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20225
Comment 14 errata-xmlrpc 2021-05-18 14:37:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1734 https://access.redhat.com/errata/RHSA-2021:1734
Comment 15 errata-xmlrpc 2021-06-29 16:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2566 https://access.redhat.com/errata/RHSA-2021:2566
Comment 16 errata-xmlrpc 2021-07-20 22:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2790 https://access.redhat.com/errata/RHSA-2021:2790
Comment 17 errata-xmlrpc 2021-09-28 14:34:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3675 https://access.redhat.com/errata/RHSA-2021:3675