CVE-2020-14310

Published: Jul 31, 2020Modified: Nov 21, 2024

6.0

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Exploitability: 0.8 / Impact: 5.2

Source: NVD

Description

There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

Affected (13)

Products: Gnu: Grub2 · Redhat: Enterprise Linux, Enterprise Linux Eus, Enterprise Linux Server Aus, Enterprise Linux Server Tus · Opensuse: Leap · +1 more

Show all products

Gnu: Grub2 · Redhat: Enterprise Linux, Enterprise Linux Eus, Enterprise Linux Server Aus, Enterprise Linux Server Tus · Opensuse: Leap · Canonical: Ubuntu Linux

1 product

4 products

Enterprise Linux

Enterprise Linux Eus

Enterprise Linux Server Aus

Enterprise Linux Server Tus

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gnu Grub2	Before 2.06

Configuration B

6 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0
Redhat Enterprise Linux Eus	Version 8.1
Redhat Enterprise Linux Eus	Version 8.2
Redhat Enterprise Linux Server Aus	Version 8.2
Redhat Enterprise Linux Server Tus	Version 8.2

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.1
Opensuse Leap	Version 15.2

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04

Related CWEs

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

References (10)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://security.gentoo.org/glsa/202104-05

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/4432-1/

Source: secalert@redhat.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://security.gentoo.org/glsa/202104-05

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4432-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.