grub_parser_split_cmdline expands variable names present in the supplied command line in to their corresponding variable contents and uses a 1kB stack buffer for temporary storage without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution. An attacker may use this to circumvent Secure Boot protections.
Acknowledgments: Name: Chris Coulson (Canonical)
Created grub2 tracking bugs for this issue: Affects: fedora-all [bug 1934249]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0698 https://access.redhat.com/errata/RHSA-2021:0698
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0696 https://access.redhat.com/errata/RHSA-2021:0696
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0697 https://access.redhat.com/errata/RHSA-2021:0697
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2021:0703 https://access.redhat.com/errata/RHSA-2021:0703
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:0704 https://access.redhat.com/errata/RHSA-2021:0704
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:0702 https://access.redhat.com/errata/RHSA-2021:0702
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0699 https://access.redhat.com/errata/RHSA-2021:0699
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:0700 https://access.redhat.com/errata/RHSA-2021:0700
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0701 https://access.redhat.com/errata/RHSA-2021:0701
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27749
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1734 https://access.redhat.com/errata/RHSA-2021:1734
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2566 https://access.redhat.com/errata/RHSA-2021:2566
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2790 https://access.redhat.com/errata/RHSA-2021:2790
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3675 https://access.redhat.com/errata/RHSA-2021:3675