CVE-2020-27749

NameCVE-2020-27749
DescriptionA flaw was found in grub2 in versions prior to 2.06. Variable names present are expanded in the supplied command line into their corresponding variable contents, using a 1kB stack buffer for temporary storage, without sufficient bounds checking. If the function is called with a command line that references a variable with a sufficiently large payload, it is possible to overflow the stack buffer, corrupt the stack frame and control execution which could also circumvent Secure Boot protections. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4867-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grub2 (PTS)jessie, jessie (lts)2.02~beta2-22+deb8u2vulnerable
stretch (lts), stretch2.02~beta3-5+deb9u3vulnerable
buster (security), buster, buster (lts)2.06-3~deb10u4fixed
bullseye (security), bullseye2.06-3~deb11u6fixed
bookworm (security), bookworm2.06-13+deb12u1fixed
sid, trixie2.12-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
grub2sourcebuster2.02+dfsg1-20+deb10u4DSA-4867-1
grub2source(unstable)2.04-16

Notes

[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)

Search for package or bug name: Reporting problems