Bug 2138880 (CVE-2022-3775) - CVE-2022-3775 grub2: Heap based out-of-bounds write when redering certain unicode sequences
Summary: CVE-2022-3775 grub2: Heap based out-of-bounds write when redering certain uni...
Keywords:
Status: NEW
Alias: CVE-2022-3775
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2141340 2141342 2141343 2141335 2141336 2141337 2141338 2141339 2141341 2142998
Blocks: 2112969
TreeView+ depends on / blocked
 
Reported: 2022-10-31 14:33 UTC by Marco Benatto
Modified: 2023-01-09 14:44 UTC (History)
8 users (show)

Fixed In Version: grub 2.06
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the grub2 font code. When rendering certain unicode sequences, it fails to properly validate the font width and height. These values are further used to access the font buffer, causing possible out-of-bounds writes. A malicious actor may craft a font capable of triggering this issue, allowing modifications in unauthorized memory segments, causing data integrity problems or leading to denial of service.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8494 0 None None None 2022-11-16 10:48:15 UTC
Red Hat Product Errata RHSA-2022:8800 0 None None None 2022-12-06 08:54:26 UTC
Red Hat Product Errata RHSA-2022:8978 0 None None None 2022-12-13 16:06:55 UTC
Red Hat Product Errata RHSA-2023:0047 0 None None None 2023-01-09 14:44:50 UTC
Red Hat Product Errata RHSA-2023:0048 0 None None None 2023-01-09 14:44:13 UTC
Red Hat Product Errata RHSA-2023:0049 0 None None None 2023-01-09 14:43:05 UTC

Description Marco Benatto 2022-10-31 14:33:08 UTC
When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

Comment 2 Marco Benatto 2022-11-15 18:11:45 UTC
Created grub2 tracking bugs for this issue:

Affects: fedora-all [bug 2142998]

Comment 3 errata-xmlrpc 2022-11-16 10:48:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:8494 https://access.redhat.com/errata/RHSA-2022:8494

Comment 4 errata-xmlrpc 2022-12-06 08:54:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8800 https://access.redhat.com/errata/RHSA-2022:8800

Comment 5 errata-xmlrpc 2022-12-13 16:06:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8978 https://access.redhat.com/errata/RHSA-2022:8978

Comment 6 errata-xmlrpc 2023-01-09 14:43:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0049 https://access.redhat.com/errata/RHSA-2023:0049

Comment 7 errata-xmlrpc 2023-01-09 14:44:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0048 https://access.redhat.com/errata/RHSA-2023:0048

Comment 8 errata-xmlrpc 2023-01-09 14:44:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0047 https://access.redhat.com/errata/RHSA-2023:0047


Note You need to log in before you can comment on or make changes to this bug.