CVE-2020-14308

Priority
Description
In grub2 versions before 2.06 the grub memory allocator doesn't check for
possible arithmetic overflows on the requested allocation size. This leads
the function to return invalid memory allocations which can be further used
to cause possible integrity, confidentiality and availability impacts
during the boot process.
Ubuntu-Description
It was discovered that the memory allocator for GRUB2 did not validate
allocation size, resulting in multiple integer overflows and heap-based
buffer overflows when handling certain filesystems, PNG images or disk
metadata. A local attacker could use this to execute arbitrary code and
bypass UEFI Secure Boot restrictions.
Notes
amurraygrub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low
Package
Source: grub2 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):released (2.02~beta2-9ubuntu1.20)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.02~beta2-36ubuntu3.26)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.02-2ubuntu8.16)
Ubuntu 20.04 LTS (Focal Fossa):released (2.04-1ubuntu26.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.04-1ubuntu26.1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (1.34.22)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.66.26)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.93.18)
Ubuntu 20.04 LTS (Focal Fossa):released (1.142.3)
Ubuntu 20.10 (Groovy Gorilla):not-affected (1.147)
More Information

Updated: 2020-08-05 04:14:33 UTC (commit 75ee2efd5b1f4456ca1263baf8c308c5218273da)