Debian Security Advisory

DLA-3190-1 grub2 -- LTS security update

Date Reported:
16 Nov 2022
Affected Packages:
grub2
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2022-2601, CVE-2022-3775.
More information:

Several issues were found in GRUB2's font handling code, which could result in crashes and potentially execution of arbitrary code. These could lead to by-pass of UEFI Secure Boot on affected systems.

Further, issues were found in image loading that could potentially lead to memory overflows.

For Debian 10 buster, these problems have been fixed in version 2.06-3~deb10u2.

We recommend that you upgrade your grub2 packages.

For the detailed security status of grub2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/grub2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS