1861581 – (CVE-2020-15707) CVE-2020-15707 grub2: Integer overflow in initrd size handling

Bug 1861581 (CVE-2020-15707) - CVE-2020-15707 grub2: Integer overflow in initrd size handling

Summary: CVE-2020-15707 grub2: Integer overflow in initrd size handling

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-15707
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1861582 1861583 1861584 1861585 1861586 1861587 1861588 1861589 1861590 1861591 1861592 1863025
Blocks:	1852004
TreeView+	depends on / blocked

Reported:	2020-07-29 01:52 UTC by Marco Benatto
Modified:	2021-02-16 19:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:	grub 2.06
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-29 19:28:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3216	None	None	None	2020-07-29 18:31:00 UTC
Red Hat Product Errata	RHSA-2020:3217	None	None	None	2020-07-29 19:34:14 UTC
Red Hat Product Errata	RHSA-2020:3223	None	None	None	2020-07-29 19:38:18 UTC
Red Hat Product Errata	RHSA-2020:3227	None	None	None	2020-07-29 20:14:58 UTC
Red Hat Product Errata	RHSA-2020:3271	None	None	None	2020-08-03 11:52:57 UTC
Red Hat Product Errata	RHSA-2020:3274	None	None	None	2020-08-03 12:06:18 UTC
Red Hat Product Errata	RHSA-2020:3275	None	None	None	2020-08-03 11:14:27 UTC
Red Hat Product Errata	RHSA-2020:3276	None	None	None	2020-08-03 12:03:01 UTC

Description Marco Benatto 2020-07-29 01:52:12 UTC

There are a few integer overflows in grub2 while handling several sizes related to initrd information.
These could be triggered by a crafted filesystem with very large files.

Comment 2 Marco Benatto 2020-07-29 14:24:34 UTC

There's an issue on current grub version caused by a integer overflow at grub_cmd_initrd() function. When having extremely large files, the size file variable used for calculation may overflow, allowing an attacker to cause further invalid memory accesses causing memory corruption and integrity issues.

Comment 4 Marco Benatto 2020-07-29 14:32:49 UTC

Acknowledgments:

Name: Colin Watson (Debian / Canonical Ltd.), Chris Coulson (Canonical)

Comment 5 Marco Benatto 2020-07-29 14:34:14 UTC

Statement:

There's no mitigation available other than installing the update packages.

Comment 6 errata-xmlrpc 2020-07-29 18:30:59 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3216 https://access.redhat.com/errata/RHSA-2020:3216

Comment 7 Product Security DevOps Team 2020-07-29 19:28:16 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15707

Comment 8 errata-xmlrpc 2020-07-29 19:34:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3217 https://access.redhat.com/errata/RHSA-2020:3217

Comment 9 errata-xmlrpc 2020-07-29 19:38:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3223 https://access.redhat.com/errata/RHSA-2020:3223

Comment 10 errata-xmlrpc 2020-07-29 20:14:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3227 https://access.redhat.com/errata/RHSA-2020:3227

Comment 11 errata-xmlrpc 2020-08-03 11:14:23 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:3275 https://access.redhat.com/errata/RHSA-2020:3275

Comment 12 errata-xmlrpc 2020-08-03 11:52:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:3271 https://access.redhat.com/errata/RHSA-2020:3271

Comment 13 errata-xmlrpc 2020-08-03 12:02:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.3 Telco Extended Update Support

Via RHSA-2020:3276 https://access.redhat.com/errata/RHSA-2020:3276

Comment 14 errata-xmlrpc 2020-08-03 12:06:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2020:3274 https://access.redhat.com/errata/RHSA-2020:3274

Comment 15 Marco Benatto 2020-08-03 13:46:06 UTC

Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 1863025]

Note You need to log in before you can comment on or make changes to this bug.