cbcvebase.
CVE-2020-14310
published 2020-07-31

CVE-2020-14310: There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it…

medium6CVSS 3.1
AVLACLPRHUINSUCNIHAH
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiangrub2< grub2 2.04-9 (bookworm)grub2 2.04-9 (bookworm)
gnugrub2< 2.062.06
gnugrub2>= 0 < 2.04-92.04-9
gnugrub2>= 0 < 2.04-92.04-9
gnugrub2>= 0 < 2.04-92.04-9
gnugrub2>= 0 < 2.04-92.04-9
gnugrub2>= 0 < 2.02~beta2-36ubuntu3.262.02~beta2-36ubuntu3.26
gnugrub2>= 0 < 2.02~beta2-36ubuntu3.272.02~beta2-36ubuntu3.27
gnugrub2>= 0 < 2.02-2ubuntu8.162.02-2ubuntu8.16
gnugrub2>= 0 < 2.02-2ubuntu8.172.02-2ubuntu8.17
gnugrub2>= 0 < 2.04-1ubuntu26.12.04-1ubuntu26.1
gnugrub2>= 0 < 2.04-1ubuntu26.22.04-1ubuntu26.2
gnugrub2>= 0 < 2.02~beta2-9ubuntu1.202.02~beta2-9ubuntu1.20
gnugrub2>= 0 < 2.02~beta2-9ubuntu1.212.02~beta2-9ubuntu1.21
msrcazl3_grub2_2.06-23_on_azure_linux_3.0
msrccbl2_grub2_2.06rc1-7_on_cbl_mariner_2.0
msrccm1_grub2_2.06rc1-4_on_cbl_mariner_1.0
opensuseleap
opensuseleap
paloaltopan-os
redhatenterprise_linux

CVSS provenance

nvdv3.16.0MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
osv8.2HIGH