Bug 1927436 (CVE-2021-3408)

Summary: CVE-2021-3408 grub2: heap out-of-bound write due to mis-calculation of space required for quoting
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: bootloader-eng-team, carnil, fmartine, lkundrak, mrehak, pjones, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] The grub2 menu rendering code miscalculate the memory amount to hold single-quoted strings. This lead to a out-of-bounds write in grub2's heap by one byte per quote in the input. This results to a 'write-what-where' scenario which an attacker may leverage to compromise heap integrity and possibly code execution, leading to Secure Boot circumvention. To an attack being successful deployed, the attacker needs to have high privileges into the targeted system and also triage the heap layout to successfully deploy a crafted payload.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-23 11:10:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1899965, 1944614    

Description Marco Benatto 2021-02-10 17:37:15 UTC 
The grub2 menu rendering code miscalculate the memory amount to hold single-quoted strings. This lead to a out-of-bounds write in grub2's heap by one byte per quote in the input. This results to a 'write-what-where' scenario which an attacker may leverage to compromise heap integrity and possibly code execution, leading to Secure Boot circumvention. To an attack being successful deployed, the attacker needs to have high privileges into the targeted system and also triage the heap layout to successfully deploy a crafted payload.
Comment 2 Marian Rehak 2021-02-23 11:10:35 UTC 

*** This bug has been marked as a duplicate of bug 1926263 ***
Comment 3 Salvatore Bonaccorso 2021-03-03 08:07:19 UTC 
Should this CVE be rejected (and alias removed from here)? as duplicate of CVE-2021-20233?
Comment 4 Marco Benatto 2021-03-03 15:22:46 UTC 
In reply to comment #3:
> Should this CVE be rejected (and alias removed from here)? as duplicate of
> CVE-2021-20233?

Hello,

yes, this has been closed as duplicate of CVE-2021-20233 and won't be reported to Mitre.
Please consider CVE-2021-20233 as reported at https://www.mail-archive.com/grub-devel@gnu.org/msg31641.html

Let me know if you have any doubts or concerns.