Bugzilla – Bug 1217067
VUL-0: CVE-2023-4949: grub: memory corruption in XFS file system implementation
Last modified: 2024-03-19 05:23:05 UTC
An attacker with local access to a system (either through a disk or external drive) can present a modified XFS partition to grub-legacy in such a way to exploit a memory corruption in grub’s XFS file system implementation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4949
I assume "grub-legacy" means grub instead of grub2. This is related to CVE-2023-34325 (bsc#1215747).
(In reply to Carlos López from comment #1) > I assume "grub-legacy" means grub instead of grub2. grub2 maintainers, can you confirm?
(In reply to Carlos López from comment #2) > (In reply to Carlos López from comment #1) > > I assume "grub-legacy" means grub instead of grub2. > > grub2 maintainers, can you confirm? Yes. To avoid confusion, grub-legacy is often used to refer to old grub which's development ended in 0.97. Also I didn't see discussion about XFS vulnerability recently in "grub2" upstream.
(In reply to Michael Chang from comment #3) > (In reply to Carlos López from comment #2) > > (In reply to Carlos López from comment #1) > > > I assume "grub-legacy" means grub instead of grub2. > > > > grub2 maintainers, can you confirm? > > Yes. To avoid confusion, grub-legacy is often used to refer to old grub > which's development ended in 0.97. Also I didn't see discussion about XFS > vulnerability recently in "grub2" upstream. Thanks, closing this since we do not ship legacy grub.
(In reply to Carlos López from comment #4) > Thanks, closing this since we do not ship legacy grub. (Actually it is technically under L3 support)