SUSE-SU-2025:01961-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202501961-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:01961-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2025:01961-1
Upstream
Related
Published
2025-06-16T10:03:22Z
Modified
2026-03-23T04:46:24.715250Z
Summary
Security update for grub2
Details

This update for grub2 fixes the following issues:

  • CVE-2023-4692: nfs: out-of-bounds write at fs/ntfs.c may lead to unsigned code execution (bsc#1215935).
  • CVE-2023-4693: nfs: out-of-bounds read at fs/ntfs.c (bsc#1215936).
  • CVE-2024-45774: heap overflows in JPEG parser (bsc#1233609).
  • CVE-2024-45775: missing NULL check in extcmd parser (bsc#1233610).
  • CVE-2024-45776: overflow in .MO file (gettext) handling (bsc#1233612).
  • CVE-2024-45777: integer overflow in gettext (bsc#1233613).
  • CVE-2024-45778: bfs filesystem not fuzzing stable (bsc#1233606).
  • CVE-2024-45779: bfs: heap overflow (bsc#1233608).
  • CVE-2024-45780: overflow in tar/cpio (bsc#1233614).
  • CVE-2024-45781: ufs: strcpy overflow (bsc#1233617).
  • CVE-2024-45782: hfs: strcpy overflow (bsc#1233615).
  • CVE-2024-45783: hfsplus: refcount overflow (bsc#1233616).
  • CVE-2024-56737: heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem (bsc#1234958).
  • CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on module unload (bsc#1236317).
  • CVE-2025-0624: net: Out-of-bounds write in grubnetsearchconfigfile() (bsc#1236316).
  • CVE-2025-0677: ufs: Integer overflow may lead to heap based out-of-bounds write when handling symlinks (bsc#1237002).
  • CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006).
  • CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237008).
  • CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237009).
  • CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237010).
  • CVE-2025-0689: udf: Heap based buffer overflow in grubudfread_block() may lead to arbitrary code execution (bsc#1237011).
  • CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write (bsc#1237012).
  • CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure boot is enabled (bsc#1237013).
  • CVE-2025-1125: fs/hfs: Interger overflow may lead to heap based out-of-bounds write (bsc#1237014).

Other bugfixes:

  • Bump upstream SBAT generation to 5
References

Affected packages

SUSE:Linux Enterprise Micro 5.1 / grub2

Package

Name
grub2
Purl
pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Micro%205.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.04-150300.3.11.1

Ecosystem specific 

{
    "binaries": [
        {
            "grub2": "2.04-150300.3.11.1",
            "grub2-x86_64-efi": "2.04-150300.3.11.1",
            "grub2-snapper-plugin": "2.04-150300.3.11.1",
            "grub2-s390x-emu": "2.04-150300.3.11.1",
            "grub2-arm64-efi": "2.04-150300.3.11.1",
            "grub2-i386-pc": "2.04-150300.3.11.1",
            "grub2-x86_64-xen": "2.04-150300.3.11.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:01961-1.json"