Oval Definition:oval:com.redhat.rhsa:def:20203217
Revision Date:2020-07-29Version:642
Title:RHSA-2020:3217: grub2 security and bug fix update (Moderate)
Description:The grub2 packages provide version 2 of the Grand Unified Boot Loader (GRUB), a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices.

The shim package contains a first-stage UEFI boot loader that handles chaining to a trusted full boot loader under secure boot environments.

The fwupdate packages provide a service that allows session software to update device firmware.

Security Fix(es):

  • grub2: Crafted grub.cfg file can lead to arbitrary code execution during boot process (CVE-2020-10713)

  • grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow (CVE-2020-14308)

  • grub2: Integer overflow in grub_squash_read_symlink may lead to heap-based buffer overflow (CVE-2020-14309)

  • grub2: Integer overflow read_section_as_string may lead to heap-based buffer overflow (CVE-2020-14310)

  • grub2: Integer overflow in grub_ext2_read_link leads to heap-based buffer overflow (CVE-2020-14311)

  • grub2: Fail kernel validation without shim protocol (CVE-2020-15705)

  • grub2: Use-after-free redefining a function whilst the same function is already executing (CVE-2020-15706)

  • grub2: Integer overflow in initrd size handling (CVE-2020-15707)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

  • grub2 doesn't handle relative paths correctly for UEFI HTTP Boot (BZ#1616395)

  • UEFI HTTP boot over IPv6 does not work (BZ#1732765)

    Users of grub2 are advised to upgrade to these updated packages, which fix these bugs.
  • Family:unixClass:patch
    Status:Reference(s):CVE-2020-10713
    CVE-2020-14308
    CVE-2020-14309
    CVE-2020-14310
    CVE-2020-14311
    CVE-2020-15705
    CVE-2020-15706
    CVE-2020-15707
    RHSA-2020:3217
    Platform(s):Red Hat Enterprise Linux 7
    Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 7 is installed
  • AND
  • shim-unsigned-ia32 is earlier than 0:15-7.el7_9
  • AND shim-unsigned-ia32 is signed with Red Hat redhatrelease2 key
  • shim-unsigned-x64 is earlier than 0:15-7.el7_9
  • AND shim-unsigned-x64 is signed with Red Hat redhatrelease2 key
  • fwupdate is earlier than 0:12-6.el7_8
  • AND fwupdate is signed with Red Hat redhatrelease2 key
  • fwupdate-devel is earlier than 0:12-6.el7_8
  • AND fwupdate-devel is signed with Red Hat redhatrelease2 key
  • fwupdate-efi is earlier than 0:12-6.el7_8
  • AND fwupdate-efi is signed with Red Hat redhatrelease2 key
  • fwupdate-libs is earlier than 0:12-6.el7_8
  • AND fwupdate-libs is signed with Red Hat redhatrelease2 key
  • grub2 is earlier than 1:2.02-0.86.el7_8
  • AND grub2 is signed with Red Hat redhatrelease2 key
  • grub2-common is earlier than 1:2.02-0.86.el7_8
  • AND grub2-common is signed with Red Hat redhatrelease2 key
  • grub2-efi-aa64-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-aa64-modules is signed with Red Hat redhatrelease2 key
  • grub2-efi-ia32 is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-ia32 is signed with Red Hat redhatrelease2 key
  • grub2-efi-ia32-cdboot is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-ia32-cdboot is signed with Red Hat redhatrelease2 key
  • grub2-efi-ia32-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-ia32-modules is signed with Red Hat redhatrelease2 key
  • grub2-efi-x64 is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-x64 is signed with Red Hat redhatrelease2 key
  • grub2-efi-x64-cdboot is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-x64-cdboot is signed with Red Hat redhatrelease2 key
  • grub2-efi-x64-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-efi-x64-modules is signed with Red Hat redhatrelease2 key
  • grub2-pc is earlier than 1:2.02-0.86.el7_8
  • AND grub2-pc is signed with Red Hat redhatrelease2 key
  • grub2-pc-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-pc-modules is signed with Red Hat redhatrelease2 key
  • grub2-ppc-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-ppc-modules is signed with Red Hat redhatrelease2 key
  • grub2-ppc64 is earlier than 1:2.02-0.86.el7_8
  • AND grub2-ppc64 is signed with Red Hat redhatrelease2 key
  • grub2-ppc64-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-ppc64-modules is signed with Red Hat redhatrelease2 key
  • grub2-ppc64le is earlier than 1:2.02-0.86.el7_8
  • AND grub2-ppc64le is signed with Red Hat redhatrelease2 key
  • grub2-ppc64le-modules is earlier than 1:2.02-0.86.el7_8
  • AND grub2-ppc64le-modules is signed with Red Hat redhatrelease2 key
  • grub2-tools is earlier than 1:2.02-0.86.el7_8
  • AND grub2-tools is signed with Red Hat redhatrelease2 key
  • grub2-tools-extra is earlier than 1:2.02-0.86.el7_8
  • AND grub2-tools-extra is signed with Red Hat redhatrelease2 key
  • grub2-tools-minimal is earlier than 1:2.02-0.86.el7_8
  • AND grub2-tools-minimal is signed with Red Hat redhatrelease2 key
  • mokutil is earlier than 0:15-7.el7_8
  • AND mokutil is signed with Red Hat redhatrelease2 key
  • shim-ia32 is earlier than 0:15-7.el7_8
  • AND shim-ia32 is signed with Red Hat redhatrelease2 key
  • shim-x64 is earlier than 0:15-7.el7_8
  • AND shim-x64 is signed with Red Hat redhatrelease2 key
  • BACK