update: grub #1199

dongsupark · 2023-10-06T07:32:35Z

Name: grub
CVEs: CVE-2023-4692, CVE-2023-4693
CVSSs: 7.8, 4.6
Action Needed: update to >= 2.06-r9

Summary:

CVE-2023-4692: There is an out-of-bounds write in grub-core/fs/ntfs.c. An attacker may leverage this vulnerability by presenting a specially crafted NTFS filesystem image leading to GRUB's heap metadata corruption. Additionally, in some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result arbitrary code execution and secure boot protection bypass may be achieved.
CVE-2023-4693: There is an out-of-bounds read at grub-core/fs/ntfs.c. A physically present attacker may leverage that by presenting a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack may allow sensitive data cached in memory or EFI variables values to be leaked presenting a high confidentiality risk.

refmap.gentoo: https://bugs.gentoo.org/915131

dongsupark added security security concerns advisory security advisory labels Oct 6, 2023

dongsupark added this to Flatcar tactical, release planning, and roadmap Oct 6, 2023

github-project-automation bot moved this to 📝 Needs Triage in Flatcar tactical, release planning, and roadmap Oct 6, 2023

dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Oct 6, 2023

krnowak mentioned this issue Oct 12, 2023

overlay sys-boot/grub: Update to 2.06-r9 flatcar/scripts#1264

Merged

2 tasks

krnowak closed this as completed in flatcar/scripts#1264 Oct 12, 2023

github-project-automation bot moved this from 🪵Backlog to Implemented in Flatcar tactical, release planning, and roadmap Oct 12, 2023

github-actions bot mentioned this issue Nov 9, 2023

Monthly contributions report 2023-09-22 - 2023-10-21 #1244

Closed

dongsupark added the cvss/HIGH > 7 && < 9 assessed CVSS label Dec 15, 2023

dongsupark removed this from Flatcar tactical, release planning, and roadmap Mar 19, 2024

Provide feedback