Security Information / 2022 / Security Information -- DSA-5280-1 grub2

Debian Security Advisory

DSA-5280-1 grub2 -- security update

Date Reported:

15 Nov 2022

Affected Packages:

grub2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2022-2601, CVE-2022-3775.

More information:

Several issues were found in GRUB2's font handling code, which could result in crashes and potentially execution of arbitrary code. These could lead to by-pass of UEFI Secure Boot on affected systems.

Further, issues were found in image loading that could potentially lead to memory overflows.

For the stable distribution (bullseye), these problems have been fixed in version 2.06-3~deb11u4.

We recommend that you upgrade your grub2 packages.

For the detailed security status of grub2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/grub2