Security update for grub2

Announcement ID:	SUSE-SU-2025:0586-1
Release Date:	2025-02-19T07:29:02Z
Rating:	important
References:	bsc#1229163 bsc#1229164 bsc#1233606 bsc#1233608 bsc#1233609 bsc#1233610 bsc#1233612 bsc#1233613 bsc#1233614 bsc#1233615 bsc#1233616 bsc#1233617 bsc#1234958 bsc#1236316 bsc#1236317 bsc#1237002 bsc#1237006 bsc#1237008 bsc#1237009 bsc#1237010 bsc#1237011 bsc#1237012 bsc#1237013 bsc#1237014
Cross-References:	CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-49504 CVE-2024-56737 CVE-2025-0622 CVE-2025-0624 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125
CVSS scores:	CVE-2024-45774 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45774 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45775 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45775 ( NVD ): 5.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H CVE-2024-45776 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45776 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45777 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45778 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L CVE-2024-45779 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45780 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45781 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45781 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45782 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45783 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-45783 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2024-49504 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2024-49504 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2024-49504 ( NVD ): 7.0 CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-56737 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-56737 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-56737 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-0622 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0622 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0624 ( SUSE ): 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2025-0677 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-0677 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0678 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-0678 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0684 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0685 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-0685 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0686 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-0686 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0689 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-0689 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-0690 ( SUSE ): 7.3 CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-0690 ( SUSE ): 6.1 CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2025-1118 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2025-1118 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2025-1125 ( SUSE ): 8.7 CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVE-2025-1125 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Basesystem Module 15-SP6 openSUSE Leap 15.6 Server Applications Module 15-SP6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves 23 vulnerabilities and has one security fix can now be installed.

Description:

This update for grub2 fixes the following issues:

• CVE-2024-45781: Fixed strcpy overflow in ufs. (bsc#1233617)
• CVE-2024-56737: Fixed a heap-based buffer overflow in hfs. (bsc#1234958)
• CVE-2024-45782: Fixed strcpy overflow in hfs. (bsc#1233615)
• CVE-2024-45780: Fixed an overflow in tar/cpio. (bsc#1233614)
• CVE-2024-45783: Fixed a refcount overflow in hfsplus. (bsc#1233616)
• CVE-2024-45774: Fixed a heap overflow in JPEG parser. (bsc#1233609)
• CVE-2024-45775: Fixed a missing NULL check in extcmd parser. (bsc#1233610)
• CVE-2024-45776: Fixed an overflow in .MO file handling. (bsc#1233612)
• CVE-2024-45777: Fixed an integer overflow in gettext. (bsc#1233613)
• CVE-2024-45778: Fixed bfs filesystem by removing it from lockdown capable modules. (bsc#1233606)
• CVE-2024-45779: Fixed a heap overflow in bfs. (bsc#1233608)
• CVE-2024-49504: Fixed an issue that can bypass TPM-bound disk encryption on SL(E)M encrypted Images. (bsc#1229164)
• CVE-2025-0624: Fixed an out-of-bounds write during the network boot process. (bsc#1236316)
• CVE-2025-0622: Fixed a use-after-free when handling hooks during module unload in command/gpg . (bsc#1236317)
• CVE-2025-0690: Fixed an integer overflow that may lead to an out-of-bounds write through the read command. (bsc#1237012)
• CVE-2025-1118: Fixed an issue where the dump command was not being blocked when grub was in lockdown mode. (bsc#1237013)
• CVE-2025-0677: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in ufs. (bsc#1237002)
• CVE-2025-0684: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in reiserfs. (bsc#1237008)
• CVE-2025-0685: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in jfs. (bsc#1237009)
• CVE-2025-0686: Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in romfs. (bsc#1237010)
• CVE-2025-0689: Fixed a heap-based buffer overflow in udf that may lead to arbitrary code execution. (bsc#1237011)
• CVE-2025-1125: Fixed an integer overflow that may lead to an out-of-bounds write in hfs. (bsc#1237014)
• CVE-2025-0678: Fixed an integer overflow that may lead to an out-of-bounds write in squash4. (bsc#1237006)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-586=1
• Server Applications Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP6-2025-586=1
• openSUSE Leap 15.6
  zypper in -t patch SUSE-2025-586=1 openSUSE-SLE-15.6-2025-586=1

Package List:

• Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64)
  • grub2-debuginfo-2.12-150600.8.18.2
  • grub2-2.12-150600.8.18.2
• Basesystem Module 15-SP6 (noarch)
  • grub2-powerpc-ieee1275-2.12-150600.8.18.2
  • grub2-systemd-sleep-plugin-2.12-150600.8.18.2
  • grub2-x86_64-efi-2.12-150600.8.18.2
  • grub2-snapper-plugin-2.12-150600.8.18.2
  • grub2-i386-pc-2.12-150600.8.18.2
  • grub2-arm64-efi-2.12-150600.8.18.2
• Basesystem Module 15-SP6 (aarch64 s390x x86_64)
  • grub2-debugsource-2.12-150600.8.18.2
• Basesystem Module 15-SP6 (s390x)
  • grub2-s390x-emu-2.12-150600.8.18.2
• Server Applications Module 15-SP6 (noarch)
  • grub2-x86_64-xen-2.12-150600.8.18.2
• openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64 i586)
  • grub2-branding-upstream-2.12-150600.8.18.2
  • grub2-debuginfo-2.12-150600.8.18.2
  • grub2-2.12-150600.8.18.2
• openSUSE Leap 15.6 (aarch64 s390x x86_64 i586)
  • grub2-debugsource-2.12-150600.8.18.2
• openSUSE Leap 15.6 (noarch)
  • grub2-powerpc-ieee1275-2.12-150600.8.18.2
  • grub2-x86_64-efi-extras-2.12-150600.8.18.2
  • grub2-i386-pc-extras-2.12-150600.8.18.2
  • grub2-x86_64-xen-debug-2.12-150600.8.18.2
  • grub2-i386-efi-extras-2.12-150600.8.18.2
  • grub2-arm64-efi-2.12-150600.8.18.2
  • grub2-i386-pc-debug-2.12-150600.8.18.2
  • grub2-x86_64-xen-2.12-150600.8.18.2
  • grub2-i386-efi-debug-2.12-150600.8.18.2
  • grub2-snapper-plugin-2.12-150600.8.18.2
  • grub2-s390x-emu-extras-2.12-150600.8.18.2
  • grub2-i386-xen-debug-2.12-150600.8.18.2
  • grub2-powerpc-ieee1275-debug-2.12-150600.8.18.2
  • grub2-systemd-sleep-plugin-2.12-150600.8.18.2
  • grub2-i386-pc-2.12-150600.8.18.2
  • grub2-arm64-efi-debug-2.12-150600.8.18.2
  • grub2-i386-xen-2.12-150600.8.18.2
  • grub2-arm64-efi-extras-2.12-150600.8.18.2
  • grub2-x86_64-efi-debug-2.12-150600.8.18.2
  • grub2-x86_64-xen-extras-2.12-150600.8.18.2
  • grub2-powerpc-ieee1275-extras-2.12-150600.8.18.2
  • grub2-x86_64-efi-2.12-150600.8.18.2
  • grub2-i386-efi-2.12-150600.8.18.2
  • grub2-i386-xen-extras-2.12-150600.8.18.2
• openSUSE Leap 15.6 (s390x)
  • grub2-s390x-emu-debug-2.12-150600.8.18.2
  • grub2-s390x-emu-2.12-150600.8.18.2

References:

• https://www.suse.com/security/cve/CVE-2024-45774.html
• https://www.suse.com/security/cve/CVE-2024-45775.html
• https://www.suse.com/security/cve/CVE-2024-45776.html
• https://www.suse.com/security/cve/CVE-2024-45777.html
• https://www.suse.com/security/cve/CVE-2024-45778.html
• https://www.suse.com/security/cve/CVE-2024-45779.html
• https://www.suse.com/security/cve/CVE-2024-45780.html
• https://www.suse.com/security/cve/CVE-2024-45781.html
• https://www.suse.com/security/cve/CVE-2024-45782.html
• https://www.suse.com/security/cve/CVE-2024-45783.html
• https://www.suse.com/security/cve/CVE-2024-49504.html
• https://www.suse.com/security/cve/CVE-2024-56737.html
• https://www.suse.com/security/cve/CVE-2025-0622.html
• https://www.suse.com/security/cve/CVE-2025-0624.html
• https://www.suse.com/security/cve/CVE-2025-0677.html
• https://www.suse.com/security/cve/CVE-2025-0678.html
• https://www.suse.com/security/cve/CVE-2025-0684.html
• https://www.suse.com/security/cve/CVE-2025-0685.html
• https://www.suse.com/security/cve/CVE-2025-0686.html
• https://www.suse.com/security/cve/CVE-2025-0689.html
• https://www.suse.com/security/cve/CVE-2025-0690.html
• https://www.suse.com/security/cve/CVE-2025-1118.html
• https://www.suse.com/security/cve/CVE-2025-1125.html
• https://bugzilla.suse.com/show_bug.cgi?id=1229163
• https://bugzilla.suse.com/show_bug.cgi?id=1229164
• https://bugzilla.suse.com/show_bug.cgi?id=1233606
• https://bugzilla.suse.com/show_bug.cgi?id=1233608
• https://bugzilla.suse.com/show_bug.cgi?id=1233609
• https://bugzilla.suse.com/show_bug.cgi?id=1233610
• https://bugzilla.suse.com/show_bug.cgi?id=1233612
• https://bugzilla.suse.com/show_bug.cgi?id=1233613
• https://bugzilla.suse.com/show_bug.cgi?id=1233614
• https://bugzilla.suse.com/show_bug.cgi?id=1233615
• https://bugzilla.suse.com/show_bug.cgi?id=1233616
• https://bugzilla.suse.com/show_bug.cgi?id=1233617
• https://bugzilla.suse.com/show_bug.cgi?id=1234958
• https://bugzilla.suse.com/show_bug.cgi?id=1236316
• https://bugzilla.suse.com/show_bug.cgi?id=1236317
• https://bugzilla.suse.com/show_bug.cgi?id=1237002
• https://bugzilla.suse.com/show_bug.cgi?id=1237006
• https://bugzilla.suse.com/show_bug.cgi?id=1237008
• https://bugzilla.suse.com/show_bug.cgi?id=1237009
• https://bugzilla.suse.com/show_bug.cgi?id=1237010
• https://bugzilla.suse.com/show_bug.cgi?id=1237011
• https://bugzilla.suse.com/show_bug.cgi?id=1237012
• https://bugzilla.suse.com/show_bug.cgi?id=1237013
• https://bugzilla.suse.com/show_bug.cgi?id=1237014