Bug 1174570 – VUL-0: CVE-2020-15707: grub2: linux: Fix integer overflows in initrd size handling

Bug 1174570 - (CVE-2020-15707) VUL-0: CVE-2020-15707: grub2: linux: Fix integer overflows in initrd size handling

(CVE-2020-15707)
Summary:	VUL-0: CVE-2020-15707: grub2: linux: Fix integer overflows in initrd size han...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/264291/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-07-27 19:54 UTC by Marcus Meissner
Modified:	2021-09-23 18:46 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2020-15707.patch (4.62 KB, patch) 2020-07-27 19:55 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Marcus Meissner 2020-07-27 19:55:28 UTC

Created attachment 840087 [details]
CVE-2020-15707.patch

yet another patch

Comment 2 Marcus Meissner 2020-07-27 19:56:02 UTC

This patch has also been declared mandatory to fix.

Can you apply and resubmit all grub2?

Comment 3 Michael Chang 2020-07-28 03:39:23 UTC

(In reply to Marcus Meissner from comment #2)
> This patch has also been declared mandatory to fix.
> 
> Can you apply and resubmit all grub2?

Yes I am working on it.

Comment 4 Michael Chang 2020-07-28 05:31:32 UTC

The submission is done.

SLE15-SP2_Update: srid#223010
SLE15-SP1_Update: srid#223011
SLE15_Update:     srid#223012
SLE12-SP4_Update: srid#223013
SLE12-SP3_Update: srid#223014
SLE12-SP2_Update: srid#223015
SLE11-SP4_Update: srid#223016

Comment 6 Swamp Workflow Management 2020-07-29 22:13:42 UTC

SUSE-SU-2020:2073-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    grub2-2.02-19.48.1
SUSE Linux Enterprise Server 15-LTSS (src):    grub2-2.02-19.48.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    grub2-2.02-19.48.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    grub2-2.02-19.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2020-07-29 22:15:00 UTC

SUSE-SU-2020:2076-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1084632,1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    grub2-2.02~beta2-115.49.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    grub2-2.02~beta2-115.49.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    grub2-2.02~beta2-115.49.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    grub2-2.02~beta2-115.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2020-07-29 22:16:19 UTC

SUSE-SU-2020:2079-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1084632,1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    grub2-2.02-4.53.1
SUSE OpenStack Cloud 8 (src):    grub2-2.02-4.53.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    grub2-2.02-4.53.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    grub2-2.02-4.53.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    grub2-2.02-4.53.1
SUSE Enterprise Storage 5 (src):    grub2-2.02-4.53.1
HPE Helion Openstack 8 (src):    grub2-2.02-4.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2020-07-29 22:17:33 UTC

SUSE-SU-2020:2078-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grub2-2.02-12.31.1
SUSE OpenStack Cloud 9 (src):    grub2-2.02-12.31.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    grub2-2.02-12.31.1
SUSE Linux Enterprise Server 12-SP5 (src):    grub2-2.02-12.31.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    grub2-2.02-12.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2020-07-29 22:19:26 UTC

SUSE-SU-2020:2074-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    grub2-2.04-9.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    grub2-2.04-9.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Swamp Workflow Management 2020-07-29 22:21:26 UTC

SUSE-SU-2020:2077-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    grub2-2.02-26.25.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    grub2-2.02-26.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2020-07-29 22:22:44 UTC

SUSE-SU-2020:14440-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1084632,1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    grub2-2.00-0.66.15.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    grub2-2.00-0.66.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Marcus Meissner 2020-07-30 05:24:57 UTC

bug is public

Comment 15 Swamp Workflow Management 2020-08-08 16:14:41 UTC

openSUSE-SU-2020:1168-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    grub2-2.02-lp151.21.21.4

Comment 16 Swamp Workflow Management 2020-08-08 16:16:35 UTC

openSUSE-SU-2020:1169-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1168994,1173812,1174463,1174570
CVE References: CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    grub2-2.04-lp152.7.3.4

Comment 20 Michael Chang 2020-08-26 05:21:17 UTC

Patch submitted so marking the status to fixed.

Comment 21 Michael Chang 2020-08-26 08:09:43 UTC

Reassign completed bug to security-team@suse.de

Comment 22 Wolfgang Frisch 2020-09-02 08:28:39 UTC

Resolved.