Bug 1991685 (CVE-2021-3695) - CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap
Summary: CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds w...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3695
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2070687 2070688 2031889 2031890 2031891 2031892 2031893 2031894 2031895 2031897 2031899 2031901 2031902 2089810 2094468
Blocks: 1991681
TreeView+ depends on / blocked
 
Reported: 2021-08-09 17:19 UTC by Marco Benatto
Modified: 2022-07-19 15:32 UTC (History)
11 users (show)

Fixed In Version: grub 2.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grub 2, where a crafted 16-bit grayscale PNG image may lead to an out-of-bounds write. This flaw allows an attacker to corrupt the data on the heap portion of the grub2's memory, leading to possible code execution and the circumvention of the secure boot mechanism.
Clone Of:
Environment:
Last Closed: 2022-06-16 21:07:12 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5105 0 None None None 2022-06-16 21:08:35 UTC
Red Hat Product Errata RHBA-2022:5121 0 None None None 2022-06-20 01:27:27 UTC
Red Hat Product Errata RHBA-2022:5127 0 None None None 2022-06-20 12:12:07 UTC
Red Hat Product Errata RHBA-2022:5128 0 None None None 2022-06-20 14:27:02 UTC
Red Hat Product Errata RHBA-2022:5170 0 None None None 2022-06-22 11:38:28 UTC
Red Hat Product Errata RHBA-2022:5437 0 None None None 2022-06-30 07:15:14 UTC
Red Hat Product Errata RHBA-2022:5578 0 None None None 2022-07-13 15:10:18 UTC
Red Hat Product Errata RHBA-2022:5643 0 None None None 2022-07-19 15:32:26 UTC
Red Hat Product Errata RHSA-2022:5095 0 None None None 2022-06-16 15:33:49 UTC
Red Hat Product Errata RHSA-2022:5096 0 None None None 2022-06-16 14:55:06 UTC
Red Hat Product Errata RHSA-2022:5098 0 None None None 2022-06-16 13:51:12 UTC
Red Hat Product Errata RHSA-2022:5099 0 None None None 2022-06-16 15:23:40 UTC
Red Hat Product Errata RHSA-2022:5100 0 None None None 2022-06-16 15:45:53 UTC

Description Marco Benatto 2021-08-09 17:19:20 UTC
A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write in the heap area. An attacker may take advantage of that to cause heap data corruption or eventually arbitrary code execution and circumvent secure boot protections. This issue has a high complexity to be exploited as an attacker needs to perform some triage over the heap layout to achieve signifcant results, also the values written into the memory are repeated three times in a row making difficult to produce valid payloads.

Comment 5 Todd Cullum 2022-06-07 17:01:03 UTC
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 2094468]

Comment 6 errata-xmlrpc 2022-06-16 13:51:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5098 https://access.redhat.com/errata/RHSA-2022:5098

Comment 7 errata-xmlrpc 2022-06-16 14:55:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5096 https://access.redhat.com/errata/RHSA-2022:5096

Comment 8 errata-xmlrpc 2022-06-16 15:23:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5099 https://access.redhat.com/errata/RHSA-2022:5099

Comment 9 errata-xmlrpc 2022-06-16 15:33:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5095 https://access.redhat.com/errata/RHSA-2022:5095

Comment 10 errata-xmlrpc 2022-06-16 15:45:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5100 https://access.redhat.com/errata/RHSA-2022:5100

Comment 11 Product Security DevOps Team 2022-06-16 21:07:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3695


Note You need to log in before you can comment on or make changes to this bug.