Debian Long Term Support / LTS Security Information / 2022 / Security Information -- DLA-3190-2 grub2

Debian Security Advisory

DLA-3190-2 grub2 -- LTS security update

Date Reported:

10 Dec 2022

Affected Packages:

grub2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 1024617.
In Mitre's CVE dictionary: CVE-2022-2601, CVE-2022-3775.

More information:

Zhang Boyang reported that the grub2 update released as DLA 3190-1 did not correctly apply fixes for CVE-2022-2601 and CVE-2022-3775. Updated packages are now available to address this issue. For reference the original advisory text follows.

Several issues were found in GRUB2's font handling code, which could result in crashes and potentially execution of arbitrary code. These could lead to by-pass of UEFI Secure Boot on affected systems.

Further, issues were found in image loading that could potentially lead to memory overflows.

For Debian 10 buster, these problems have been fixed in version 2.06-3~deb10u3.

We recommend that you upgrade your grub2 packages.

For the detailed security status of grub2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/grub2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS