CVE-2021-27097: The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT. Patches: https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 CVE-2021-27138: The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT. Patches: https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4 https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917 I'm not sure about the impact of these, but there are patches so we might be able to backport them if necessary.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4f8e821f7c750d3db6e6828a8cd70dc272c4dbd commit f4f8e821f7c750d3db6e6828a8cd70dc272c4dbd Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2021-02-19 08:17:03 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2021-02-19 08:18:51 +0000 dev-embedded/u-boot-tools: bump up to 2020.04-r2 Bug: https://bugs.gentoo.org/771555 Closes: https://bugs.gentoo.org/745117 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-embedded/u-boot-tools/Manifest | 1 + .../u-boot-tools/u-boot-tools-2021.04_rc2.ebuild | 76 ++++++++++++++++++++++ 2 files changed, 77 insertions(+)
Thank you! Let's stabilize if it's suitable. Slyfox: can you offer input on the impact of these?
amd64 done
x86 done
arm done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=16b23b9d5ebd4db63a982f8b5b4d62408a1128b4 commit 16b23b9d5ebd4db63a982f8b5b4d62408a1128b4 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-07-23 23:50:13 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-07-24 06:21:19 +0000 dev-embedded/u-boot-tools: drop 2020.04-r2 Bug: https://bugs.gentoo.org/771555 Signed-off-by: John Helmert III <ajak@gentoo.org> dev-embedded/u-boot-tools/Manifest | 1 - .../u-boot-tools/u-boot-tools-2020.04-r2.ebuild | 75 ---------------------- 2 files changed, 76 deletions(-)
Unable to check for sanity: > no match for package: dev-embedded/u-boot-tools-2021.04_rc2
Resetting sanity check; package list is empty or all packages are done.
the CVE's in question only apply to the bootloader, not to the tools, so they aren't relevant to dev-embedded/u-boot-tools in the first place
If the bug is wrong it's invalid.
