1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4867-1] grub2 security update

    From Salvatore Bonaccorso@21:1/5 to All on Tue Mar 2 19:20:01 2021
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4867-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso
    March 02, 2021 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : grub2
    CVE ID : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749
    CVE-2020-27779 CVE-2021-20225 CVE-2021-20233

    Several vulnerabilities have been discovered in the GRUB2 bootloader.

    CVE-2020-14372

    It was discovered that the acpi command allows a privileged user to
    load crafted ACPI tables when Secure Boot is enabled.

    CVE-2020-25632

    A use-after-free vulnerability was found in the rmmod command.

    CVE-2020-25647

    An out-of-bound write vulnerability was found in the
    grub_usb_device_initialize() function, which is called to handle USB
    device initialization.

    CVE-2020-27749

    A stack buffer overflow flaw was found in grub_parser_split_cmdline.

    CVE-2020-27779

    It was discovered that the cutmem command allows a privileged user
    to remove memory regions when Secure Boot is enabled.

    CVE-2021-20225

    A heap out-of-bounds write vulnerability was found in the short form
    option parser.

    CVE-2021-20233

    A heap out-of-bound write flaw was found caused by mis-calculation
    of space required for quoting in the menu rendering.

    Further detailed information can be found at https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot

    For the stable distribution (buster), these problems have been fixed in
    version 2.02+dfsg1-20+deb10u4.

    We recommend that you upgrade your grub2 packages.

    For the detailed security status of grub2 please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/grub2

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmA+ftVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RyFQ/+LdwWdxYOmXW3TCu/X5ChyjmXUO5nitRcUtpwuWjUjyIzcH5Q8SMX793s RidbruWIb9JE3vvdFHfOpqtF+xVsTwa0CH1dmWSsFYgIycLjzXetMuK0Fn3z14R3 C9wMbO6gTHob38+2LdnDr4GM4iCThxT0ekyFNawUZjtQPaKKNIL1F6eQm3kJrnNB nagQBUZbfewqrYClXGNxW4kESP47Y15eTiLDgqsjIPOtfxPi9ehy8+5vqQeO8YEt GojDHauHb3gxQVjmkFKIj2pJVVNXNocFP8E7CtZ/l8HPq7zwbcFq40h0zAWhcPmN Wxw1n3qfY9cwDn8hSU5s19CeYqejumZcoSuh74CfdPbwJ+gY0XZN9vJmsJqksPKp 8diwnyCOCcKofTl3zwE7+nxvG+aV+SCy6XI9XG35RnNEHDhprimLENlHXxCo8Fbk v2/wjjdsZ3ZQlXMFlr9bhBscgeewAk4SrGkxRKrlN/8SL9wFsL8xnlN7/K7HA5RY DorPIF3NOQQz21K24TvpILoKGlJgNbIPELssbrnDIdtCLhhDS1ZQ9PaHuRWIkich 3+Jp0e2JwHv92NaeBk0sRNSSa2metw8PpBs9xYHuAMCLfWJcRkTxnbWG7M3o3MqB 7dDsQMZnN+fS+3IlUU1XlVbUcPDT4rQSuUH46uYEfhKzRG99YBY=
    =phC9
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)