CVSS: 6.0EPSS: 0%CPEs: 13EXPL: 0CVE-2020-14311 – grub2: Integer overflow in grub_ext2_read_link leads to heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2020-14311
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow. Se presenta un problema con grub2 versiones anteriores a 2.06, mientras se maneja un symlink en los sistemas de archivos ext. Un sistema de archivos que contiene un enlace simbólico con un tamaño de inode de UINT32_MAX causa un desbordamiento aritmético conllevando a una asignación de memoria de tamaño cero con el posterior desbordamiento del búfer en la región heap de la memoria A flaw was found in grub2 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow, leading to a zero-sized memory allocation with a subsequent heap-based buffer overflow. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html http://www.openwall.com/lists/oss-security/2021/09/17/2 http://www.openwall.com/lists/oss-security/2021/09/17/4 http://www.openwall.com/lists/oss-security/2021/09/21/1 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14311 https://security.gentoo.org/glsa/202104-05 https://usn.ubuntu.com/4432-1 https://acce • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 6.4EPSS: 0%CPEs: 33EXPL: 1CVE-2020-15707 – GRUB2 contained integer overflows when handling the initrd command, leading to a heap-based buffer overflow.
https://notcve.org/view.php?id=CVE-2020-15707
Integer overflows were discovered in the functions grub_cmd_initrd and grub_initrd_init in the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (the functionality is not included in GRUB2 upstream), leading to a heap-based buffer overflow. These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. An attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions. This issue affects GRUB2 version 2.04 and prior versions. Se detectaron desbordamientos de enteros en las funciones grub_cmd_initrd y grub_initrd_init en el componente efilinux de GRUB2, como se incluye en Debian, Red Hat y Ubuntu (la funcionalidad no está incluida aguas arriba de GRUB2), conllevando a un desbordamiento del búfer en la región heap de la memoria. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html http://ubuntu.com/security/notices/USN-4432-1 http://www.openwall.com/lists/oss-security/2020/07/29/3 https://access.redhat.com/security/vulnerabilities/grub2bootloader https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 https://security.gentoo.org/ • CWE-190: Integer Overflow or Wraparound CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.0EPSS: 0%CPEs: 13EXPL: 0CVE-2020-14310 – grub2: Integer overflow read_section_as_string may lead to heap-based buffer overflow
https://notcve.org/view.php?id=CVE-2020-14310
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow. Se presenta un problema en grub2 versiones anteriores a 2.06, en la función read_section_as_string(). Se espera que el nombre de la fuente sea una longitud máxima UINT32_MAX - 1 en bytes, pero no lo verifica antes de proceder con la asignación del búfer para leer el valor desde el valor de la fuente. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310 https://security.gentoo.org/glsa/202104-05 https://usn.ubuntu.com/4432-1 https://access.redhat.com/security/cve/CVE-2020-14310 https://bugzilla.redhat.com/show_bug.cgi?id=1852030 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0CVE-2020-10756 – QEMU SLiRP Networking Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-10756
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. Se encontró una vulnerabilidad de lectura fuera de límites en la implementación de red SLiRP del emulador QEMU. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00035.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00040.html https://bugzilla.redhat.com/show_bug.cgi?id=1835986 https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYTZ32P67PZER6P7TW6FQK3SZRKQLVEI https://security.netapp.com/advisory/ntap-20201001-0001 https://usn.ubuntu.com/4437-1 https://usn.ubuntu.com/ • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10769 – kernel: Buffer over-read in crypto_authenc_extractkeys() when a payload longer than 4 bytes is not aligned.
https://notcve.org/view.php?id=CVE-2020-10769
A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. Se encontró un defecto de lectura excesiva del búfer en el kernel de RH versiones anteriores a 5.0, en la función crypto_authenc_extractkeys en el archivo crypto/authenc.c en el módulo del algoritmo Criptográfico IPsec, authenc. Cuando una carga útil de más de 4 bytes y no sigue las pautas de límites de alineación de 4 bytes, esto causa una amenaza de lectura excesiva del búfer, conllevando a un bloqueo del sistema. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html https://bugzilla.redhat.com/show_bug.cgi?id=1708775%3B https://lkml.org/lkml/2019/1/21/675 https://www.oracle.com/security-alerts/cpuApr2021.html https://access.redhat.com/security/cve/CVE-2020-10769 https://bugzilla.redhat.com/show_bug.cgi?id=1708775 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •