CVE-2020-14310

Priority
Description
There is an issue on grub2 before version 2.06 at function
read_section_as_string(). It expects a font name to be at max UINT32_MAX -
1 length in bytes but it doesn't verify it before proceed with buffer
allocation to read the value from the font value. An attacker may leverage
that by crafting a malicious font file which has a name with UINT32_MAX,
leading to read_section_as_string() to an arithmetic overflow, zero-sized
allocation and further heap-based buffer overflow.
Ubuntu-Description
Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions.
References
Notes
amurraygrub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low
Package
Source: grub2 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):released (2.02~beta2-9ubuntu1.20)
Ubuntu 16.06 ESM (Xenial Xerus):released (2.02~beta2-36ubuntu3.26)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.02-2ubuntu8.16)
Ubuntu 20.04 LTS (Focal Fossa):released (2.04-1ubuntu26.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.04-1ubuntu26.1)
Ubuntu 21.04 (Hirsute Hippo):not-affected (2.04-1ubuntu26.1)
Ubuntu 21.10 (Impish Indri):not-affected (2.04-1ubuntu26.1)
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):released (1.34.22)
Ubuntu 16.06 ESM (Xenial Xerus):released (1.66.26)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.93.18)
Ubuntu 20.04 LTS (Focal Fossa):released (1.142.3)
Ubuntu 20.10 (Groovy Gorilla):not-affected (1.147)
Ubuntu 21.04 (Hirsute Hippo):not-affected (1.147)
Ubuntu 21.10 (Impish Indri):not-affected (1.147)
More Information

Updated: 2021-06-05 04:42:21 UTC (commit 9f1442d151c4b1764735c64061fe3a60c369dce8)