Bug 32997 - grub2 new security issues CVE-2023-469[23], CVE-2023-4001 and CVE-2024-1048
Summary: grub2 new security issues CVE-2023-469[23], CVE-2023-4001 and CVE-2024-1048
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-03-21 16:48 CET by Nicolas Salguero
Modified: 2024-03-28 04:54 CET (History)
4 users (show)

See Also:
Source RPM: grub2-2.06-28.1.mga9.src.rpm
CVE: CVE-2023-4692, CVE-2023-4693, CVE-2023-4001, CVE-2024-1048
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-21 16:48:34 CET 
Fedora has issued an advisory on March 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSJAEGRR3XHMBBBKYOVMII4P34IXEYPE/

The fix is in the following patches from Fedora:
0349-grub-set-bootflag-Conservative-partial-fix-for-CVE-2.patch
0350-grub-set-bootflag-More-complete-fix-for-CVE-2024-104.patch
0351-grub-set-bootflag-Exit-calmly-when-not-running-as-ro.patch

Mageia 9 is also affected.
Nicolas Salguero 2024-03-21 16:49:01 CET

Source RPM: (none) => grub2-2.06-29.mga10.src.rpm
CVE: (none) => CVE-2024-1048
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-03-21 16:50:58 CET

Status comment: (none) => Patches available from Fedora

Comment 1 Lewis Smith 2024-03-22 21:44:12 CET 
Different people have committed this, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-03-25 11:06:24 CET 
I think we need the patches from Fedora starting from 0342-fs-xfs-Fix-memory-leaks-in-XFS-module.patch to 0358-fs-ntfs-Make-code-more-readable.patch.

CVE: CVE-2024-1048 => CVE-2023-4692, CVE-2023-4693, CVE-2024-1048
Summary: grub2 new security issue CVE-2024-1048 => grub2 new security issues CVE-2023-469[23] and CVE-2024-1048

Nicolas Salguero 2024-03-25 11:15:04 CET

Summary: grub2 new security issues CVE-2023-469[23] and CVE-2024-1048 => grub2 new security issues CVE-2023-469[23], CVE-2023-4001 and CVE-2024-1048
CVE: CVE-2023-4692, CVE-2023-4693, CVE-2024-1048 => CVE-2023-4692, CVE-2023-4693, CVE-2023-4001, CVE-2024-1048

Comment 3 Nicolas Salguero 2024-03-26 13:29:49 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. (CVE-2023-4692)

An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk. (CVE-2023-4693)

An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature. An attacker capable of attaching an external drive such as a USB stick containing a file system with a duplicate UUID (the same as in the "/boot/" file system) can bypass the GRUB password protection feature on UEFI systems, which enumerate removable drives before non-removable ones. (CVE-2023-4001)

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks. (CVE-2024-1048)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSJAEGRR3XHMBBBKYOVMII4P34IXEYPE/
========================

Updated packages in core/updates_testing:
========================
grub2-2.06-28.2.mga9
grub2-common-2.06-28.2.mga9
grub2-efi-2.06-28.2.mga9
grub2-emu-2.06-28.2.mga9
grub2-emu-modules-2.06-28.2.mga9
grub2-mageia-theme-2.06-28.2.mga9

from SRPM:
grub2-2.06-28.2.mga9.src.rpm

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Patches available from Fedora => (none)
Source RPM: grub2-2.06-29.mga10.src.rpm => grub2-2.06-28.1.mga9.src.rpm

PC LX 2024-03-26 16:29:29 CET

CC: (none) => mageia

katnatek 2024-03-26 18:01:28 CET

Keywords: (none) => advisory

Comment 4 katnatek 2024-03-27 01:57:14 CET 
RH mageia 9 x86_64, updated witout issues

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (32-bit)" is up-to-date
updated medium "QA Testing (64-bit)"
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
medium "BDK-Free-x86_64" is up-to-date
medium "BDK-Free-noarch" is up-to-date
medium "BDK-NonFree-x86_64" is up-to-date
medium "MLO_core (MLO1)" is up-to-date
medium "MLO_nonfree (MLO2)" is up-to-date
medium "MLO_tainted (MLO3)" is up-to-date


installing grub2-common-2.06-28.2.mga9.x86_64.rpm grub2-efi-2.06-28.2.mga9.x86_64.rpm grub2-2.06-28.2.mga9.x86_64.rpm grub2-mageia-theme-2.06-28.2.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: grub2-efi             ##################################################################################################
      2/4: grub2-common          ##################################################################################################
      3/4: grub2                 ##################################################################################################
      4/4: grub2-mageia-theme    ##################################################################################################
      1/4: removing grub2-mageia-theme-2.06-28.1.mga9.noarch
                                 ##################################################################################################
      2/4: removing grub2-2.06-28.1.mga9.x86_64
                                 ##################################################################################################
      3/4: removing grub2-common-2.06-28.1.mga9.x86_64
                                 ##################################################################################################
      4/4: removing grub2-efi-2.06-28.1.mga9.x86_64
                                 ##################################################################################################

I'll reboot and report again
Comment 5 katnatek 2024-03-27 02:02:51 CET 
RH mageia 9 x86_64

After reboot
The grub menu load without issues
The system loads without issue
katnatek 2024-03-27 02:03:19 CET

CC: (none) => andrewsfarm

katnatek 2024-03-27 02:03:33 CET

Whiteboard: (none) => MGA9-64-OK

Comment 6 Cyril Levet 2024-03-27 08:46:10 CET 
A user in the French forum have an issue with this update that force him to repair grub with a live version of Mageia 9 : https://www.mageialinux-online.org/forum/topic-31414-0-323155-grub-2-plantage-apres-mise-a-jour.php#m323155

I'm not sure how his repositories are configured or the exact version of the update he made. I have asked him and wait for his answers.

So please, wait before pushing this in Update.

CC: (none) => cyril.levet0780

Nicolas Salguero 2024-03-27 11:12:15 CET

Keywords: (none) => feedback

Comment 7 Nicolas Salguero 2024-03-27 14:46:17 CET 
Hi,

Anyway, in my own tests with 3 PCs (2 with UEFI and one with a BIOS), I did not have any problem with that update.

Best regards,

Nico.
Comment 8 Thomas Andrews 2024-03-27 15:56:22 CET 
Two of the vulnerabilities described in the advisory concern the NTFS filesystem driver. Have any of the tests so far been on systems multi-booting with a Windows NTFS system?

I can't do it, as I don't do Windows if I can avoid it, and even then it's only in VirtualBox.
Comment 9 PC LX 2024-03-27 16:16:25 CET 
Installed and tested without issues.

Tested on multiple systems, including several virtual machines.
All systems booted OK and grub menu showed correctly.
All systems are using kernel 6.6.22-desktop-1.mga9.



Server System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.
Workstation System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.
VM 1 System: Mageia 9, x86_64, QEMU/KVM, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics, Radeon RX 6500 XT using amdgpu driver.
VM 2 System: Mageia 9, x86_64, QEMU/KVM, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics, virtio display driver and SPICE client.
VM 3 System: Mageia 9, aarch64, QEMU/KVM, WindowMaker DE, Cortex-A76 8 core emulation, virtio display driver and SPICE client.
Comment 10 katnatek 2024-03-27 18:46:44 CET 
(In reply to Cyril Levet from comment #6)
> A user in the French forum have an issue with this update that force him to
> repair grub with a live version of Mageia 9 :
> https://www.mageialinux-online.org/forum/topic-31414-0-323155-grub-2-
> plantage-apres-mise-a-jour.php#m323155
> 
> I'm not sure how his repositories are configured or the exact version of the
> update he made. I have asked him and wait for his answers.
> 
> So please, wait before pushing this in Update.

The issue is in cauldron as the title says, so I think if we not find issues in the test for mageia 9 we proceed with the update
Comment 11 katnatek 2024-03-27 18:47:51 CET 
(In reply to Thomas Andrews from comment #8)
> Two of the vulnerabilities described in the advisory concern the NTFS
> filesystem driver. Have any of the tests so far been on systems
> multi-booting with a Windows NTFS system?

Sorry Mageia only in my 2 RH and in the VM
Comment 12 Cyril Levet 2024-03-27 20:07:04 CET 
(In reply to katnatek from comment #10)
> The issue is in cauldron as the title says, so I think if we not find issues
> in the test for mageia 9 we proceed with the update

The Cauldron in the title was a mistake by a moderator. It is Mageia 9 which is affected. 
But it seems that the user made a mistake by partially install grub2 through testing.
Comment 13 Thomas Andrews 2024-03-28 01:13:59 CET 
I tried to enlarge a Windows 7 VM and install Mageia in a dual-boot configuration, but it failed miserably, probably because the vdi was dynamically allocated.

I'm removing the feedback flag because of comment 12. Validating because of all the successful tests, and because comment 12 seems to have solved the mystery put forth in comment 6.

CC: (none) => sysadmin-bugs
Keywords: feedback => validated_update

Comment 14 Mageia Robot 2024-03-28 04:54:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0095.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.