CVE-2020-14309
EUVD-2020-646130.07.2020, 13:15
There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| gnu | grub2 | 𝑥 < 2.06 |
| opensuse | leap | 15.1 |
| opensuse | leap | 15.2 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| grub2 |
| ||||||||||||||||||||||||
| grub2-signed |
| ||||||||||||||||||||||||
| grub2-unsigned |
|
References