ALAS2-2025-2844

Amazon Linux 2 Security Advisory: ALAS2-2025-2844
Advisory Released Date: 2025-04-30
Advisory Updated Date: 2025-04-30

Severity: Medium

References: CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

When reading the language .mo file in grub_mofile_open(), grub2 fails to verify an integer overflow when allocating its internal buffer. A crafted .mo file may lead the buffer size calculation to overflow, leading to out-of-bound reads and writes. This flaw allows an attacker to leak sensitive data or overwrite critical data, possibly circumventing secure boot protections. (CVE-2024-45776)

A flaw was found in grub2. The calculation of the translation buffer when reading a language .mo file in grub_gettext_getstr_from_position() may overflow, leading to a Out-of-bound write. This issue can be leveraged by an attacker to overwrite grub2's sensitive heap data, eventually leading to the circumvention of secure boot protections. (CVE-2024-45777)

grub2: fs/bfs: Integer overflow in the BFS parser. (CVE-2024-45778)

grub2: fs/bfs: Integer overflow leads to Heap OOB Read in the BFS parser (CVE-2024-45779)

Affected Packages:

grub2

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update grub2 to update your system.

New Packages:

aarch64:
    grub2-2.06-14.amzn2.0.6.aarch64
    grub2-tools-2.06-14.amzn2.0.6.aarch64
    grub2-tools-minimal-2.06-14.amzn2.0.6.aarch64
    grub2-tools-extra-2.06-14.amzn2.0.6.aarch64
    grub2-efi-aa64-2.06-14.amzn2.0.6.aarch64
    grub2-efi-aa64-ec2-2.06-14.amzn2.0.6.aarch64
    grub2-efi-aa64-cdboot-2.06-14.amzn2.0.6.aarch64
    grub2-emu-2.06-14.amzn2.0.6.aarch64
    grub2-emu-modules-2.06-14.amzn2.0.6.aarch64
    grub2-debuginfo-2.06-14.amzn2.0.6.aarch64

noarch:
    grub2-common-2.06-14.amzn2.0.6.noarch
    grub2-efi-x64-modules-2.06-14.amzn2.0.6.noarch
    grub2-pc-modules-2.06-14.amzn2.0.6.noarch
    grub2-efi-aa64-modules-2.06-14.amzn2.0.6.noarch

src:
    grub2-2.06-14.amzn2.0.6.src

x86_64:
    grub2-2.06-14.amzn2.0.6.x86_64
    grub2-tools-2.06-14.amzn2.0.6.x86_64
    grub2-tools-efi-2.06-14.amzn2.0.6.x86_64
    grub2-tools-minimal-2.06-14.amzn2.0.6.x86_64
    grub2-tools-extra-2.06-14.amzn2.0.6.x86_64
    grub2-efi-x64-2.06-14.amzn2.0.6.x86_64
    grub2-efi-x64-ec2-2.06-14.amzn2.0.6.x86_64
    grub2-efi-x64-cdboot-2.06-14.amzn2.0.6.x86_64
    grub2-pc-2.06-14.amzn2.0.6.x86_64
    grub2-emu-2.06-14.amzn2.0.6.x86_64
    grub2-emu-modules-2.06-14.amzn2.0.6.x86_64
    grub2-debuginfo-2.06-14.amzn2.0.6.x86_64

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2024-45776, CVE-2024-45777, CVE-2024-45778, CVE-2024-45779

Mitre: CVE-2024-45776, CVE-2024-45777, CVE-2024-45778, CVE-2024-45779