Bug 2346123 (CVE-2025-0690)

Summary: CVE-2025-0690 grub2: read: Integer overflow may lead to out-of-bounds write
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rebus, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further used to reallocate the line buffer to accept the next character. During this process, with a line big enough it's possible to make this variable to overflow leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's internal critical data and secure boot bypass is not discarded as consequence.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2346347, 2346348, 2346349, 2346350, 2346351    
Bug Blocks:    
Deadline: 2025-02-18   

Description OSIDB Bzimport 2025-02-17 15:39:38 UTC 
The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further used to reallocate the line buffer to accept the next character. During this process, with a line big enough it's possible to make this variable to overflow leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's internal critical data and secure boot bypass is not discarded as consequence.
Comment 2 Michal Ambroz 2025-02-20 13:20:37 UTC 
it would be so much easier if you would iclude the link to original information which lead to this:
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
Comment 5 Michal Ambroz 2025-04-06 11:14:05 UTC 
radare2 doesn't include the grub2 read command code (grub-core/commands/read.c)
Comment 7 errata-xmlrpc 2025-05-13 08:41:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:6990 https://access.redhat.com/errata/RHSA-2025:6990