CLSA-2024-1724266264
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/centos-stream8els/CLSA-2024-1724266264.json
- JSON Data
- https://api.osv.dev/v1/vulns/CLSA-2024-1724266264
- Upstream
- Published
- 2024-08-21T19:58:03Z
- Modified
- 2026-06-01T00:32:55.228556658Z
- Summary
- grub2: Fix of 12 CVEs
- Details
-
- Fix package version number
- Use CloudLinux vendor cert
- Make this package installable only on a system having Cloudlinux signed components: grub2 and kernel
- Add patches from centos-8.5 ELS:
- CVE-2021-3695: out-of-bounds write in the heap area by a crafted 16-bit grayscale PNG image
- CVE-2021-3696: a heap out-of-bounds during the handling of Huffman tables in the PNG reader
- CVE-2021-3697: allowing user-controlled data to be written in heap by a crafted JPEG image
- CVE-2022-2601: possible circumventing of the secure boot mechanism by a malicious crafted pf2 font
- CVE-2022-28733: possible write past the end of the buffer because of integer underflow in grubnetrecvip4packets()
- CVE-2022-28734: out-of-bounds write when handling split HTTP headers
- CVE-2022-28736: use-after-free vulnerability in grubcmdchainloader()
- CVE-2022-3775: out-of-bounds write into grub2’s heap because of lack of proper validation of glyph’s width and height
- CVE-2023-4692: out-of-bounds write in grub2’s NTFS filesystem driver
- The following CVEs were fixed by previous patches additionally:
- CVE-2020-15706: a race condition in grubscriptfunction_create() leading to a use-after-free vulnerability
- CVE-2020-15707: integer overflows in efilinux leading to a heap-based buffer overflow
- A number of upstream fixes backported including:
- CVE-2024-1048: a flaw that may result in filesystem running out of free inodes or blocks
- References