Bug 1926263 (CVE-2021-20233) - CVE-2021-20233 grub2: Heap out-of-bounds write due to miscalculation of space required for quoting
Summary: CVE-2021-20233 grub2: Heap out-of-bounds write due to miscalculation of space...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20233
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Javier Martinez Canillas
QA Contact:
URL:
Whiteboard:
: CVE-2021-3408 (view as bug list)
Depends On: Red Hat1932993 Red Hat1932994 Red Hat1932995 Red Hat1932996 Red Hat1932791 Red Hat1932973 Red Hat1932974 Red Hat1932975 Red Hat1932976 Red Hat1932977 Red Hat1932978 Red Hat1932983 Red Hat1932984 Red Hat1932985 Red Hat1932986 Red Hat1932987 Red Hat1932988 Red Hat1932989 Red Hat1932990 Red Hat1932991 Red Hat1932992 Red Hat1932997 Red Hat1932998 Red Hat1932999 Red Hat1933000 Red Hat1933001 Red Hat1933002 Red Hat1933003 Red Hat1933004 Red Hat1933005 Red Hat1933006 Red Hat1933007 Red Hat1933008 Red Hat1933009 Red Hat1933010 Red Hat1933011 Red Hat1933012 Red Hat1933014 Red Hat1933015 1934252 Red Hat1991034 Red Hat1991035 Red Hat1991036 Red Hat1991037 Red Hat1991038 Red Hat1991040
Blocks: Embargoed1899965 Red Hat1926372
TreeView+ depends on / blocked
 
Reported: 2021-02-08 14:18 UTC by Marco Benatto
Modified: 2021-09-28 14:34 UTC (History)
8 users (show)

Fixed In Version: grub 2.06
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub2. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-03-03 01:02:18 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0730 0 None None None 2021-03-04 13:50:05 UTC
Red Hat Product Errata RHBA-2021:0731 0 None None None 2021-03-04 14:03:37 UTC
Red Hat Product Errata RHBA-2021:0791 0 None None None 2021-03-09 20:47:52 UTC
Red Hat Product Errata RHSA-2021:0696 0 None None None 2021-03-02 19:21:32 UTC
Red Hat Product Errata RHSA-2021:0697 0 None None None 2021-03-02 19:25:29 UTC
Red Hat Product Errata RHSA-2021:0698 0 None None None 2021-03-02 19:17:15 UTC
Red Hat Product Errata RHSA-2021:0699 0 None None None 2021-03-02 20:48:09 UTC
Red Hat Product Errata RHSA-2021:0700 0 None None None 2021-03-02 20:50:44 UTC
Red Hat Product Errata RHSA-2021:0701 0 None None None 2021-03-02 21:02:04 UTC
Red Hat Product Errata RHSA-2021:0702 0 None None None 2021-03-02 20:09:46 UTC
Red Hat Product Errata RHSA-2021:0703 0 None None None 2021-03-02 19:36:43 UTC
Red Hat Product Errata RHSA-2021:0704 0 None None None 2021-03-02 19:53:56 UTC
Red Hat Product Errata RHSA-2021:2566 0 None None None 2021-06-29 16:26:30 UTC
Red Hat Product Errata RHSA-2021:2790 0 None None None 2021-07-20 22:09:13 UTC
Red Hat Product Errata RHSA-2021:3675 0 None None None 2021-09-28 14:34:48 UTC

Description Marco Benatto 2021-02-08 14:18:19 UTC 
There's a flaw on grub2 menu rendering code setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters. This allow an attacker to corrupt memory by one byte for each quote in the input.
Comment 2 Marian Rehak 2021-02-23 11:10:34 UTC 
*** Bug 1927436 has been marked as a duplicate of this bug. ***
Comment 6 Marco Benatto 2021-03-02 18:40:48 UTC 
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 1934252]
Comment 7 errata-xmlrpc 2021-03-02 19:17:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0698 https://access.redhat.com/errata/RHSA-2021:0698
Comment 8 errata-xmlrpc 2021-03-02 19:21:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0696 https://access.redhat.com/errata/RHSA-2021:0696
Comment 9 errata-xmlrpc 2021-03-02 19:25:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0697 https://access.redhat.com/errata/RHSA-2021:0697
Comment 10 errata-xmlrpc 2021-03-02 19:36:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2021:0703 https://access.redhat.com/errata/RHSA-2021:0703
Comment 11 errata-xmlrpc 2021-03-02 19:53:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Advanced Update Support

Via RHSA-2021:0704 https://access.redhat.com/errata/RHSA-2021:0704
Comment 12 errata-xmlrpc 2021-03-02 20:09:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2021:0702 https://access.redhat.com/errata/RHSA-2021:0702
Comment 13 errata-xmlrpc 2021-03-02 20:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0699 https://access.redhat.com/errata/RHSA-2021:0699
Comment 14 errata-xmlrpc 2021-03-02 20:50:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:0700 https://access.redhat.com/errata/RHSA-2021:0700
Comment 15 errata-xmlrpc 2021-03-02 21:02:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2021:0701 https://access.redhat.com/errata/RHSA-2021:0701
Comment 16 Product Security DevOps Team 2021-03-03 01:02:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20233
Comment 17 errata-xmlrpc 2021-05-18 14:37:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1734 https://access.redhat.com/errata/RHSA-2021:1734
Comment 18 errata-xmlrpc 2021-06-29 16:26:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2566 https://access.redhat.com/errata/RHSA-2021:2566
Comment 19 errata-xmlrpc 2021-07-20 22:09:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2790 https://access.redhat.com/errata/RHSA-2021:2790
Comment 20 errata-xmlrpc 2021-09-28 14:34:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3675 https://access.redhat.com/errata/RHSA-2021:3675
Note You need to log in before you can comment on or make changes to this bug.