[Buildroot] [PATCH v2] boot/grub2: Backport Boothole securify fixes

Peter Korsgaard peter at korsgaard.com
Mon Aug 3 11:43:53 UTC 2020 

>>>>> "stefan" == stefan  <stefan at astylos.dk> writes:

 > From: Stefan Sørensen <stefan.sorensen at spectralink.com>
 > Details: https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

 > Fixes the following security issues:

 >  * CVE-2020-10713
 >    A flaw was found in grub2, prior to version 2.06. An attacker may
 >    use the GRUB 2 flaw to hijack and tamper the GRUB verification
 >    process. This flaw also allows the bypass of Secure Boot
 >    protections. In order to load an untrusted or modified kernel, an
 >    attacker would first need to establish access to the system such as
 >    gaining physical access, obtain the ability to alter a pxe-boot
 >    network, or have remote access to a networked system with root
 >    access. With this access, an attacker could then craft a string to
 >    cause a buffer overflow by injecting a malicious payload that leads
 >    to arbitrary code execution within GRUB. The highest threat from
 >    this vulnerability is to data confidentiality and integrity as well
 >    as system availability.

 >  * CVE-2020-14308
 >    In grub2 versions before 2.06 the grub memory allocator doesn't
 >    check for possible arithmetic overflows on the requested allocation
 >    size. This leads the function to return invalid memory allocations
 >    which can be further used to cause possible integrity,
 >    confidentiality and availability impacts during the boot process.

 >  * CVE-2020-14309
 >    There's an issue with grub2 in all versions before 2.06 when
 >    handling squashfs filesystems containing a symbolic link with name
 >    length of UINT32 bytes in size. The name size leads to an
 >    arithmetic overflow leading to a zero-size allocation further
 >    causing a heap-based buffer overflow with attacker controlled data.

 >  * CVE-2020-14310
 >    An integer overflow in read_section_from_string may lead to a heap
 >    based buffer overflow.

 >  * CVE-2020-14311
 >    An integer overflow in grub_ext2_read_link may lead to a heap-based
 >    buffer overflow.

 >  * CVE-2020-15706
 >    GRUB2 contains a race condition in grub_script_function_create()
 >    leading to a use-after-free vulnerability which can be triggered by
 >    redefining a function whilst the same function is already
 >    executing, leading to arbitrary code execution and secure boot
 >    restriction bypass

 >  * CVE-2020-15707
 >    Integer overflows were discovered in the functions grub_cmd_initrd
 >    and grub_initrd_init in the efilinux component of GRUB2, as shipped
 >    in Debian, Red Hat, and Ubuntu (the functionality is not included
 >    in GRUB2 upstream), leading to a heap-based buffer overflow. These
 >    could be triggered by an extremely large number of arguments to the
 >    initrd command on 32-bit architectures, or a crafted filesystem
 >    with very large files on any architecture. An attacker could use
 >    this to execute arbitrary code and bypass UEFI Secure Boot
 >    restrictions. This issue affects GRUB2 version 2.04 and prior
 >    versions.

 > Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
 > ---
 > Changes since v1:
 >  * Add Signed-off-by to patches


Please use the -N option to git format-patch as pointed out by
check-package:

Applying: boot/grub2: Backport Boothole securify fixes
boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch:4: generate your patches with 'git format-patch -N'

Committed after fixing that up, thanks.

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list