Chris Coulson

**Name of the Vulnerable Software and Affected Versions** GRUB2 (affected versions not specified) **Description** The issue is related to a use-after-free vulnerability in the `grub cmd chainloader()` function. This function is used to boot operating systems that do not support multiboot and do not have direct support from GRUB2. When the chainloader command is executed more than once, the vulnerability is triggered. If an attacker can control GRUB2's memory allocation pattern, sensitive data may be exposed, and arbitrary code execution can be achieved. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** shim (affected versions not specified) **Description** The issue is related to the `handle image()` function in the UEFI bootloader shim, which is vulnerable to a buffer overflow when processing EFI files that take into account the `SizeOfRawData` field. This can allow an attacker to perform out-of-bound writes into memory, potentially leading to arbitrary code execution or denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** grub2 versions prior to 2.06 **Description** A flaw was found in grub2 where variable names in the command line are expanded into their corresponding contents using a 1kB stack buffer without sufficient bounds checking. This can lead to a stack buffer overflow if a variable with a large payload is referenced, potentially corrupting the stack frame and controlling execution, which could also circumvent Secure Boot protections. The highest threat from this issue is to data confidentiality and integrity as well as system availability. **Recommendations** For versions prior to 2.06, update to version 2.06 or later to resolve the issue. As a temporary workaround, consider restricting the use of variables in the command line to minimize the risk of exploitation. Avoid using variables with large payloads in the command line until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Grub2 versions prior to 2.06 **Description** The issue is related to an integer overflow in the implementation of the dynamic memory allocation function in the Grub2 operating system loader. This can lead to the function returning invalid memory allocations, potentially affecting the integrity, confidentiality, and availability of information during the boot process. **Recommendations** For Grub2 versions prior to 2.06, update to version 2.06 or later to resolve the issue. As a temporary workaround, consider restricting the use of dynamic memory allocation in the Grub2 loader until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Grub2 versions prior to 2.06 **Description** The issue is related to an integer overflow of the UINT32 value, which can allow an attacker to access confidential data, compromise its integrity, and cause a denial of service. Specifically, the problem occurs when handling squashfs filesystems that contain a symbolic link with a name length of UINT32 bytes, leading to an arithmetic overflow and a heap-based buffer overflow with attacker-controlled data. **Recommendations** For Grub2 versions prior to 2.06, update to version 2.06 or later to resolve the issue. As a temporary workaround, consider avoiding the use of squashfs filesystems with symbolic links that could trigger the overflow until a patch is applied. Restrict access to sensitive data handled by Grub2 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Grub2 versions prior to 2.04 **Description** The issue is related to the implementation of the `grub cmd initrd` and `grub initrd init` functions in Grub2, which can be exploited by passing a large number of arguments to the `initrd` command on 32-bit architectures, or by using a crafted filesystem with very large files on any architecture. This can lead to a heap-based buffer overflow, allowing an attacker to execute arbitrary code, bypass UEFI Secure Boot restrictions, and compromise data confidentiality and integrity. **Recommendations** For Grub2 versions prior to 2.04, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting the use of the `initrd` command on 32-bit architectures to minimize the risk of exploitation. Additionally, avoid using crafted filesystems with very large files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** grub2 versions prior to 2.06 **Description** The issue is related to a buffer overflow when handling symbolic links in ext filesystems. An arithmetic overflow occurs when a filesystem contains a symbolic link with an inode size of UINT32 MAX, leading to a zero-sized memory allocation and a subsequent heap-based buffer overflow. This can allow an attacker to compromise data integrity or cause a denial of service. **Recommendations** For grub2 versions prior to 2.06, consider updating to version 2.06 or later to resolve the issue. As a temporary workaround, restrict the use of symbolic links in ext filesystems to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** grub2 versions prior to 2.06 **Description** The issue is related to the read section as string() function, which expects a font name to be at most UINT32 MAX - 1 length in bytes but does not verify it before proceeding with buffer allocation. This can lead to an arithmetic overflow, zero-sized allocation, and further heap-based buffer overflow when a malicious font file with a name of UINT32 MAX length is crafted. An attacker may leverage this to impact data integrity or cause a denial of service. **Recommendations** For versions prior to 2.06, as a temporary workaround, consider disabling the `read section as string()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GRUB2 versions prior to 2.04 **Description** The issue is related to a race condition in the `grub script function create()` function of the Grub2 bootloader, which can lead to a use-after-free condition when a function is redefined while it is already executing. This can allow an attacker to access confidential data, compromise data integrity, and cause a denial of service. The vulnerability can also be exploited to achieve arbitrary code execution and bypass secure boot restrictions. **Recommendations** For GRUB2 versions prior to 2.04, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** A flaw in libssh2 allows a server to send multiple keyboard interactive response messages with a total length greater than the maximum unsigned char characters. This can cause an out of bounds memory write error. The issue is related to a buffer overflow in memory, which can be exploited by a remote attacker to cause a denial of service, execute arbitrary code, or disclose sensitive information. **Recommendations** For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the libssh2 library until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** systemd versions prior to 241-alt2 **Description** A buffer overflow vulnerability exists in the `bus process object()` function within systemd. An unprivileged local user can exploit this flaw by sending a specially crafted D-Bus message to PID1, potentially causing a denial of service (systemd PID1 crash and kernel panic). The vulnerability stems from insufficient input validation when handling the path field of a D-Bus message, leading to a stack buffer overflow. **Recommendations** Update systemd to version 241-alt2 or later.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** The issue is related to an integer overflow in the libssh2 library, specifically in the way keyboard prompt requests are parsed. This could allow a remote attacker who compromises an SSH server to execute arbitrary code on the client system when a user connects to the server. The vulnerability is associated with the `userauth keyboard interactive()` function in the `userauth.c` component of the libssh2 library. **Recommendations** For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider disabling the `userauth keyboard interactive()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** The issue is related to an out of bounds read flaw in the way SSH packets are parsed, specifically when the padding length value is greater than the packet length. This could allow a remote attacker who compromises a SSH server to cause a Denial of Service or read data in the client memory. The vulnerability is associated with errors in processing inconsistencies in the length parameter, which can be exploited by a remote attacker to gain unauthorized access to protected information or cause a service disruption. **Recommendations** For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** The issue is related to an integer overflow flaw in the way SSH MSG CHANNEL REQUEST packets with an exit signal are parsed. This could lead to an out of bounds write, allowing a remote attacker who compromises a SSH server to potentially execute code on the client system when a user connects to the server. The vulnerability can be exploited by a remote attacker to execute arbitrary code in the client system upon connection to the server. **Recommendations** For libssh2 versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** The issue is related to an integer overflow in the libssh2 library, which can be exploited by a remote attacker to execute arbitrary code on the client system when a user connects to a compromised SSH server. The vulnerability is associated with the ` libssh2 transport read` function in the `src/transport.c` file and occurs when reading packets from the server. **Recommendations** For libssh2 versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update is applied. Avoid using the ` libssh2 transport read` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** An out of bounds read flaw was discovered in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. The vulnerability may allow a remote attacker to cause a denial of service or gain unauthorized access to protected information by connecting to a compromised SSH server. **Recommendations** For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** The issue is related to an out of bounds read flaw in the ` libssh2 packet require` and ` libssh2 packet requirev` functions of the libssh2 library. This flaw can be exploited by a remote attacker who compromises an SSH server, potentially allowing them to cause a Denial of Service or read data in the client memory. **Recommendations** For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update is applied.

**Name of the Vulnerable Software and Affected Versions** libssh2 versions prior to 1.8.1 **Description** An out of bounds read flaw was discovered in libssh2 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory. **Recommendations** For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to SSH servers until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GDM versions prior to 3.29.1 ALT Linux (affected versions not specified) **Description** The issue arises from the daemon in GDM not properly unexporting display objects from its D-Bus interface when they are destroyed. This allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls. As a result, this can lead to a denial of service or potential code execution. **Recommendations** For GDM versions prior to 3.29.1, update to version 3.29.1 or later to resolve the issue. At the moment, there is no information about a fix for ALT Linux.

**Name of the Vulnerable Software and Affected Versions** systemd versions through 233 **Description** The issue is caused by a buffer overflow in the dns packet new function of the systemd-resolved service in the Linux operating system. This can be exploited by a remote attacker who creates a malicious DNS server that sends a response with specially crafted data of a large size, allowing the attacker to crash the system-resolved service and potentially execute arbitrary code. **Recommendations** For versions through 233, consider disabling the dns packet new function as a temporary workaround until a patch is available. Restrict access to the system-resolved service to minimize the risk of exploitation. Avoid using the system-resolved service until the issue is resolved.