It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow.
CVE-2020-14309
An integer overflow in grub_squash_read_symlink may lead to a heap- based buffer overflow.
CVE-2020-14310
An integer overflow in read_section_from_string may lead to a heap- based buffer overflow.
CVE-2020-14311
An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow.
CVE-2020-15706
script: Avoid a use-after-free when redefining a function during execution.
CVE-2020-15707
An integer overflow flaw was found in the initrd size handling.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/