622454 – (CVE-2017-9763) <sys-boot/grub-2.02_beta2-r3: Stack exhaustion in grub_ext2_read_block

Bug 622454 (CVE-2017-9763) - <sys-boot/grub-2.02_beta2-r3: Stack exhaustion in grub_ext2_read_block

Summary: <sys-boot/grub-2.02_beta2-r3: Stack exhaustion in grub_ext2_read_block

Status:	RESOLVED OBSOLETE

Alias:	CVE-2017-9763

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-06-22 10:02 UTC by Agostino Sarubbo
Modified:	2017-06-28 12:34 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-06-22 10:02:10 UTC

From ${URL} :

The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use 
and application crash) via a crafted binary file, related to use of a variable-size stack array.

Upstream patch:

https://git.savannah.gnu.org/cgit/grub.git/commit/grub-core/fs/ext2.c?id=ac8cac1dac50daaf1c390d701cca3b55e16ee768


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Mike Gilbert gentoo-dev

2017-06-22 13:24:00 UTC

This commit was included in GRUB 2.02~beta1.

There are no affected versions of sys-boot/grub:2 in the Gentoo repository.

The relevant code does not exist in sys-boot/grub:0.

Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-06-22 13:43:40 UTC

thanks, so to make sure understanding is correct; we've had a fixed version in tree since

-*grub-2.02_beta1 (19 Dec 2013)
-
-  19 Dec 2013; Mike Gilbert <floppym@gentoo.org> +grub-2.02_beta1.ebuild,
-  grub-9999-r1.ebuild:
-  Version bump.

this was never stable, but _beta2-r3 got stable in bug 522314, so correct resolving has vulnerable <sys-boot/grub-2.02_beta2-r3 (arguably it was fixed for amd64 in -r0 but due to premature stop of stabilization process after single arch in favor of new revision and the timeline involved I'm ignoring that to ensure consistency across arches)

Comment 3 Mike Gilbert gentoo-dev

2017-06-22 16:30:18 UTC

(In reply to Kristian Fiskerstrand from comment #2)

I haven't verified all that, but it sounds about right.

Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev

2017-06-22 16:52:59 UTC

(In reply to Mike Gilbert from comment #3)
> (In reply to Kristian Fiskerstrand from comment #2)
> 
> I haven't verified all that, but it sounds about right.

sounds good, then the affected range is already covered by 
https://security.gentoo.org/glsa/201512-03 so no direct need to issue a GLSA for the particular issue, so if I get a 2nd vote from another security member I propose we tag this as [noglsa]

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2017-06-22 16:54:03 UTC

CVE-2017-9763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9763):
  The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before
  2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote
  attackers to cause a denial of service (excessive stack use and application
  crash) via a crafted binary file, related to use of a variable-size stack
  array.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-28 12:34:20 UTC

Second vote for noglsa.

All done, repository is clean.

Closing as "OBSOLETE" because vulnerability is valid but was already addressed.