Bug 2138880 (CVE-2022-3775)

Summary: CVE-2022-3775 grub2: Heap based out-of-bounds write when redering certain unicode sequences
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bootloader-eng-team, jaredz, mlewando, pjanda, pjones, pkotvan, rharwood, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grub 2.06 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the grub2 font code. When rendering certain unicode sequences, it fails to properly validate the font width and height. These values are further used to access the font buffer, causing possible out-of-bounds writes. A malicious actor may craft a font capable of triggering this issue, allowing modifications in unauthorized memory segments, causing data integrity problems or leading to denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-16 00:29:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2141340, 2141343, 2141335, 2141336, 2141337, 2141338, 2141339, 2141341, 2141342, 2142998    
Bug Blocks: 2112969    

Description Marco Benatto 2022-10-31 14:33:08 UTC 
When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.
Comment 2 Marco Benatto 2022-11-15 18:11:45 UTC 
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 2142998]
Comment 3 errata-xmlrpc 2022-11-16 10:48:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:8494 https://access.redhat.com/errata/RHSA-2022:8494
Comment 4 errata-xmlrpc 2022-12-06 08:54:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8800 https://access.redhat.com/errata/RHSA-2022:8800
Comment 5 errata-xmlrpc 2022-12-13 16:06:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8978 https://access.redhat.com/errata/RHSA-2022:8978
Comment 6 errata-xmlrpc 2023-01-09 14:43:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0049 https://access.redhat.com/errata/RHSA-2023:0049
Comment 7 errata-xmlrpc 2023-01-09 14:44:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0048 https://access.redhat.com/errata/RHSA-2023:0048
Comment 8 errata-xmlrpc 2023-01-09 14:44:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0047 https://access.redhat.com/errata/RHSA-2023:0047
Comment 9 errata-xmlrpc 2023-02-14 09:07:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0752 https://access.redhat.com/errata/RHSA-2023:0752
Comment 10 Product Security DevOps Team 2023-02-16 00:29:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3775