Bug 1991686 (CVE-2021-3696)

Summary: CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bootloader-eng-team, jaredz, mlewando, pjanda, pjones, pkotvan, rharwood, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2 when handling a PNG image header. When decoding the data contained in the Huffman table at the PNG file header, an out-of-bounds write may happen on grub's heap.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-16 20:37:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2057532, 2057533, 2057534, 2057535, 2057536, 2057537, 2057538, 2057539, 2057540, 2057541, 2057542, 2089813, 2089814    
Bug Blocks: 1991681    

Description Marco Benatto 2021-08-09 17:22:04 UTC 
A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention.
Comment 4 errata-xmlrpc 2022-06-16 13:51:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5098 https://access.redhat.com/errata/RHSA-2022:5098
Comment 5 errata-xmlrpc 2022-06-16 14:55:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5096 https://access.redhat.com/errata/RHSA-2022:5096
Comment 6 errata-xmlrpc 2022-06-16 15:23:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5099 https://access.redhat.com/errata/RHSA-2022:5099
Comment 7 errata-xmlrpc 2022-06-16 15:33:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5095 https://access.redhat.com/errata/RHSA-2022:5095
Comment 8 errata-xmlrpc 2022-06-16 15:45:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5100 https://access.redhat.com/errata/RHSA-2022:5100
Comment 9 Product Security DevOps Team 2022-06-16 20:37:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3696