Bug#1098319: grub2: CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125

Wed Feb 19 05:56:15 GMT 2025

Source: grub2
Version: 2.12-5
Severity: grave
Tags: upstream security
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for grub2.

CVE-2024-45774[0]:
| A flaw was found in grub2. A specially crafted JPEG file can cause
| the JPEG parser of grub2 to incorrectly check the bounds of its
| internal buffers, resulting in an out-of-bounds write. The
| possibility of overwriting sensitive information to bypass secure
| boot protections is not discarded.

CVE-2024-45775[1]:
| A flaw was found in grub2 where the grub_extcmd_dispatcher()
| function calls grub_arg_list_alloc() to allocate memory for the
| grub's argument list. However, it fails to check in case the memory
| allocation fails. Once the allocation fails, a NULL point will be
| processed by the parse_option() function, leading grub to crash or,
| in some rare scenarios, corrupt the IVT data.

CVE-2024-45776[2]:
| When reading the language .mo file in grub_mofile_open(), grub2
| fails to verify an integer overflow when allocating its internal
| buffer. A crafted .mo file may lead the buffer size calculation to
| overflow, leading to out-of-bound reads and writes. This flaw allows
| an attacker to leak sensitive data or overwrite critical data,
| possibly circumventing secure boot protections.

CVE-2024-45777[3]:
| grub-core/gettext: Integer overflow leads to Heap OOB Write

CVE-2024-45778[4]:
| fs/bfs: Integer overflow in the BFS parser

CVE-2024-45779[5]:
| fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in the
| BFS parser

CVE-2024-45780[6]:
| fs/tar: Integer Overflow causes Heap OOB Write

CVE-2024-45781[7]:
| A flaw was found in grub2. When reading a symbolic link's name from
| a UFS filesystem, grub2 fails to validate the string length taken as
| an input. The lack of validation may lead to a heap out-of-bounds
| write, causing data integrity issues and eventually allowing an
| attacker to circumvent secure boot protections.

CVE-2024-45782[8]:
| fs/hfs: strcpy() using the volume name (fs/hfs.c:382)

CVE-2024-45783[9]:
| A flaw was found in grub2. When failing to mount an HFS+ grub, the
| hfsplus filesystem driver doesn't properly set an ERRNO value. This
| issue may lead to a NULL pointer access.

CVE-2025-0622[10]:
| A flaw was found in command/gpg. In some scenarios, hooks created by
| loaded modules are not removed when the related module is unloaded.
| This flaw allows an attacker to force grub2 to call the hooks once
| the module that registered it was unloaded, leading to a use-after-
| free vulnerability. If correctly exploited, this vulnerability may
| result in arbitrary code execution, eventually allowing the attacker
| to bypass secure boot protections.

CVE-2025-0624[11]:
| net: Out-of-bounds write in grub_net_search_config_file()

CVE-2025-0677[12]:
| UFS: Integer overflow may lead to heap based out-of-bounds write when
| handling symlinks

CVE-2025-0678[13]:
| squash4: Integer overflow may lead to heap based out-of-bounds write
| when reading data

CVE-2025-0684[14]:
| reiserfs: Integer overflow when handling symlinks may lead to heap
| based out-of-bounds write when reading data

CVE-2025-0685[15]:
| jfs: Integer overflow when handling symlinks may lead to heap based
| out-of-bounds write when reading data

CVE-2025-0686[16]:
| romfs: Integer overflow when handling symlinks may lead to heap based
| out-of-bounds write when reading data

CVE-2025-0689[17]:
| udf: Heap based buffer overflow in grub_udf_read_block() may lead to
| arbitrary code execution

CVE-2025-0690[18]:
| read: Integer overflow may lead to out-of-bounds write

CVE-2025-1118[19]:
| commands/dump: The dump command is not in lockdown when secure boot
| is enabled

CVE-2025-1125[20]:
| fs/hfs: Interger overflow may lead to heap based out-of-bounds write

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-45774
    https://www.cve.org/CVERecord?id=CVE-2024-45774
[1] https://security-tracker.debian.org/tracker/CVE-2024-45775
    https://www.cve.org/CVERecord?id=CVE-2024-45775
[2] https://security-tracker.debian.org/tracker/CVE-2024-45776
    https://www.cve.org/CVERecord?id=CVE-2024-45776
[3] https://security-tracker.debian.org/tracker/CVE-2024-45777
    https://www.cve.org/CVERecord?id=CVE-2024-45777
[4] https://security-tracker.debian.org/tracker/CVE-2024-45778
    https://www.cve.org/CVERecord?id=CVE-2024-45778
[5] https://security-tracker.debian.org/tracker/CVE-2024-45779
    https://www.cve.org/CVERecord?id=CVE-2024-45779
[6] https://security-tracker.debian.org/tracker/CVE-2024-45780
    https://www.cve.org/CVERecord?id=CVE-2024-45780
[7] https://security-tracker.debian.org/tracker/CVE-2024-45781
    https://www.cve.org/CVERecord?id=CVE-2024-45781
[8] https://security-tracker.debian.org/tracker/CVE-2024-45782
    https://www.cve.org/CVERecord?id=CVE-2024-45782
[9] https://security-tracker.debian.org/tracker/CVE-2024-45783
    https://www.cve.org/CVERecord?id=CVE-2024-45783
[10] https://security-tracker.debian.org/tracker/CVE-2025-0622
    https://www.cve.org/CVERecord?id=CVE-2025-0622
[11] https://security-tracker.debian.org/tracker/CVE-2025-0624
    https://www.cve.org/CVERecord?id=CVE-2025-0624
[12] https://security-tracker.debian.org/tracker/CVE-2025-0677
    https://www.cve.org/CVERecord?id=CVE-2025-0677
[13] https://security-tracker.debian.org/tracker/CVE-2025-0678
    https://www.cve.org/CVERecord?id=CVE-2025-0678
[14] https://security-tracker.debian.org/tracker/CVE-2025-0684
    https://www.cve.org/CVERecord?id=CVE-2025-0684
[15] https://security-tracker.debian.org/tracker/CVE-2025-0685
    https://www.cve.org/CVERecord?id=CVE-2025-0685
[16] https://security-tracker.debian.org/tracker/CVE-2025-0686
    https://www.cve.org/CVERecord?id=CVE-2025-0686
[17] https://security-tracker.debian.org/tracker/CVE-2025-0689
    https://www.cve.org/CVERecord?id=CVE-2025-0689
[18] https://security-tracker.debian.org/tracker/CVE-2025-0690
    https://www.cve.org/CVERecord?id=CVE-2025-0690
[19] https://security-tracker.debian.org/tracker/CVE-2025-1118
    https://www.cve.org/CVERecord?id=CVE-2025-1118
[20] https://security-tracker.debian.org/tracker/CVE-2025-1125
    https://www.cve.org/CVERecord?id=CVE-2025-1125
[21] https://www.openwall.com/lists/oss-security/2025/02/18/3
[22] https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore