Bug 1217067 (CVE-2023-4949)

Summary: VUL-0: CVE-2023-4949: grub: memory corruption in XFS file system implementation
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: package coldpool <coldpool>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: bootloader-maintainers, carlos.lopez, mchang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/384532/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1221592
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4949:8.1:(AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-11-13 08:41:18 UTC 
An attacker with local access to a system (either through a disk or external
drive) can present a modified XFS partition to grub-legacy in such a way to
exploit a memory corruption in grub’s XFS file system implementation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4949
Comment 1 Carlos López 2023-11-13 08:42:58 UTC 
I assume "grub-legacy" means grub instead of grub2. This is related to CVE-2023-34325 (bsc#1215747).
Comment 2 Carlos López 2023-11-13 08:43:47 UTC 
(In reply to Carlos López from comment #1)
> I assume "grub-legacy" means grub instead of grub2.

grub2 maintainers, can you confirm?
Comment 3 Michael Chang 2023-11-14 01:25:02 UTC 
(In reply to Carlos López from comment #2)
> (In reply to Carlos López from comment #1)
> > I assume "grub-legacy" means grub instead of grub2.
> 
> grub2 maintainers, can you confirm?

Yes. To avoid confusion, grub-legacy is often used to refer to old grub which's development ended in 0.97.  Also I didn't see discussion about XFS vulnerability recently in "grub2" upstream.
Comment 4 Carlos López 2023-11-15 13:54:35 UTC 
(In reply to Michael Chang from comment #3)
> (In reply to Carlos López from comment #2)
> > (In reply to Carlos López from comment #1)
> > > I assume "grub-legacy" means grub instead of grub2.
> > 
> > grub2 maintainers, can you confirm?
> 
> Yes. To avoid confusion, grub-legacy is often used to refer to old grub
> which's development ended in 0.97.  Also I didn't see discussion about XFS
> vulnerability recently in "grub2" upstream.

Thanks, closing this since we do not ship legacy grub.
Comment 5 Carlos López 2023-11-15 14:26:44 UTC 
(In reply to Carlos López from comment #4)
> Thanks, closing this since we do not ship legacy grub.

(Actually it is technically under L3 support)