Description
There is an issue on grub2 before version 2.06 at function
read_section_as_string(). It expects a font name to be at max UINT32_MAX -
1 length in bytes but it doesn't verify it before proceed with buffer
allocation to read the value from the font value. An attacker may leverage
that by crafting a malicious font file which has a name with UINT32_MAX,
leading to read_section_as_string() to an arithmetic overflow, zero-sized
allocation and further heap-based buffer overflow.
Ubuntu-Description
Chris Coulson discovered that multiple integer overflows existed in GRUB2
when handling certain filesystems or font files, leading to heap-based
buffer overflows. A local attacker could use these to execute arbitrary
code and bypass UEFI Secure Boot restrictions.
Notes
amurray | grub2-signed is not supported in Ubuntu 12.04 ESM (precise/esm) and so marking the priority for grub2 in this release as low |
Updated: 2020-10-24 07:02:35 UTC (commit 69e225d81a6ee3e2e014950178db797c5d4e5009)