Bug 1991687 (CVE-2021-3697)

Summary: CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bootloader-eng-team, jaredz, mlewando, pjanda, pjones, pkotvan, rharwood, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2 when handling JPEG images. This flaw allows an attacker to craft a malicious JPEG image, which leads to an underflow on a grub2's internal pointer, leading to a heap-based out-of-bounds write. Secure-boot mechanisms circumvention and arbitrary code execution may also be achievable.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-16 21:08:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2057546, 2057547, 2057548, 2057549, 2057550, 2057551, 2057552, 2057553, 2057554, 2057555, 2089822, 2130193    
Bug Blocks: 1991681, 1991927    

Description Marco Benatto 2021-08-09 17:24:46 UTC 
A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention.
Comment 4 errata-xmlrpc 2022-06-16 13:51:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5098 https://access.redhat.com/errata/RHSA-2022:5098
Comment 5 errata-xmlrpc 2022-06-16 14:55:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5096 https://access.redhat.com/errata/RHSA-2022:5096
Comment 6 errata-xmlrpc 2022-06-16 15:23:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5099 https://access.redhat.com/errata/RHSA-2022:5099
Comment 7 errata-xmlrpc 2022-06-16 15:33:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5095 https://access.redhat.com/errata/RHSA-2022:5095
Comment 8 errata-xmlrpc 2022-06-16 15:45:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5100 https://access.redhat.com/errata/RHSA-2022:5100
Comment 9 Product Security DevOps Team 2022-06-16 21:07:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3697