Daniel Axtens

**Name of the Vulnerable Software and Affected Versions** grub2 (affected versions not specified) **Description** The issue arises when rendering certain unicode sequences, as grub2's font code does not properly validate if the informed glyph's width and height is constrained within bitmap size. This allows an attacker to craft an input that leads to an out-of-bounds write into grub2's heap, resulting in memory corruption and availability issues. Although complex, arbitrary code execution cannot be ruled out. The vulnerability can be exploited by remote attackers to execute arbitrary code and impact the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grub (affected versions not specified) **Description** The issue is related to an integer underflow in the `grub net recv ip4 packets()` function, specifically affecting the `rsm->total len` value. This can occur when a maliciously crafted IP packet is received, potentially leading to memory allocation issues. Under certain circumstances, the `total len` value may wrap around to a small integer, which can then be used in memory allocation, allowing subsequent operations to write past the end of the buffer. Exploitation of this issue may allow a remote attacker to execute arbitrary code by sending specially crafted IP packets. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GRUB2 (affected versions not specified) **Description** The issue is related to an out-of-bounds write when handling split HTTP headers. When GRUB2's HTTP code processes split HTTP headers, it accidentally moves its internal data buffer point by one position, potentially leading to an out-of-bound write when parsing the HTTP request. This can result in writing a NULL byte past the buffer, which may allow an attacker to corrupt GRUB2's internal memory metadata. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libarchive versions 3.1.0 and later **Description** The issue is related to a double free error in the RAR decoder of the libarchive library, specifically in the `parse codes()` function within `libarchive/archive read support format rar.c`. This error occurs when `realloc(rar->lzss.window, new size)` is called with `new size = 0`, potentially leading to a crash or denial of service (DoS). The attack can be exploited if a victim opens a specially crafted RAR archive, allowing a remote attacker to cause a service disruption. **Recommendations** For libarchive versions 3.1.0 and later, consider disabling the RAR decoder functionality until a patch is available to prevent potential exploitation. Restrict access to specially crafted RAR archives to minimize the risk of a denial of service. At the moment, there is no information about a newer version that contains a fix for this vulnerability.