Bug 1861581 (CVE-2020-15707) - CVE-2020-15707 grub2: Integer overflow in initrd size handling
Summary: CVE-2020-15707 grub2: Integer overflow in initrd size handling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15707
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1861582 1861583 1861584 1861585 1861586 1861587 1861588 1861589 1861590 1861591 1861592 1863025
Blocks: 1852004
TreeView+ depends on / blocked
 
Reported: 2020-07-29 01:52 UTC by Marco Benatto
Modified: 2020-08-03 13:46 UTC (History)
5 users (show)

Fixed In Version: grub 2.06
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-29 19:28:16 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3216 None None None 2020-07-29 18:31:00 UTC
Red Hat Product Errata RHSA-2020:3217 None None None 2020-07-29 19:34:14 UTC
Red Hat Product Errata RHSA-2020:3223 None None None 2020-07-29 19:38:18 UTC
Red Hat Product Errata RHSA-2020:3227 None None None 2020-07-29 20:14:58 UTC
Red Hat Product Errata RHSA-2020:3271 None None None 2020-08-03 11:52:57 UTC
Red Hat Product Errata RHSA-2020:3274 None None None 2020-08-03 12:06:18 UTC
Red Hat Product Errata RHSA-2020:3275 None None None 2020-08-03 11:14:27 UTC
Red Hat Product Errata RHSA-2020:3276 None None None 2020-08-03 12:03:01 UTC

Description Marco Benatto 2020-07-29 01:52:12 UTC
There are a few integer overflows in grub2 while handling several sizes related to initrd information.
These could be triggered by a crafted filesystem with very large files.

Comment 2 Marco Benatto 2020-07-29 14:24:34 UTC
There's an issue on current grub version caused by a integer overflow at grub_cmd_initrd() function. When having extremely large files, the size file variable used for calculation may overflow, allowing an attacker to cause further invalid memory accesses causing memory corruption and integrity issues.

Comment 4 Marco Benatto 2020-07-29 14:32:49 UTC
Acknowledgments:

Name: Colin Watson (Debian / Canonical Ltd.), Chris Coulson (Canonical)

Comment 5 Marco Benatto 2020-07-29 14:34:14 UTC
Statement:

There's no mitigation available other than installing the update packages.

Comment 6 errata-xmlrpc 2020-07-29 18:30:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3216 https://access.redhat.com/errata/RHSA-2020:3216

Comment 7 Product Security DevOps Team 2020-07-29 19:28:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15707

Comment 8 errata-xmlrpc 2020-07-29 19:34:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3217 https://access.redhat.com/errata/RHSA-2020:3217

Comment 9 errata-xmlrpc 2020-07-29 19:38:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3223 https://access.redhat.com/errata/RHSA-2020:3223

Comment 10 errata-xmlrpc 2020-07-29 20:14:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3227 https://access.redhat.com/errata/RHSA-2020:3227

Comment 11 errata-xmlrpc 2020-08-03 11:14:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3275 https://access.redhat.com/errata/RHSA-2020:3275

Comment 12 errata-xmlrpc 2020-08-03 11:52:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3271 https://access.redhat.com/errata/RHSA-2020:3271

Comment 13 errata-xmlrpc 2020-08-03 12:02:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:3276 https://access.redhat.com/errata/RHSA-2020:3276

Comment 14 errata-xmlrpc 2020-08-03 12:06:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3274 https://access.redhat.com/errata/RHSA-2020:3274

Comment 15 Marco Benatto 2020-08-03 13:46:06 UTC
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 1863025]


Note You need to log in before you can comment on or make changes to this bug.