Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 850643 (CVE-2022-30552, CVE-2022-30790)

Summary: dev-embedded/u-boot-tools: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: embedded, jsmolic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-08 15:50:22 UTC 
CVE-2022-30552:

Das U-Boot 2022.01 has a Buffer Overflow.

CVE-2022-30790:

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552.

According to the advisory, patches exist and were posted to the u-boot
mailing list on May 26, but may not be in upstream git yet. There's
also been a writeup of the vulnerabilities on that list since May
18. Of course, none of this is referenced by the CVEs.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-08 18:56:00 UTC 
Original advisory: https://lists.denx.de/pipermail/u-boot/2022-May/484383.html
CVE-2022-30767 patch: https://lists.denx.de/pipermail/u-boot/2022-May/484386.html

I can't seem to find a patch for the other CVE.
Comment 2 Jakov Smolić archtester gentoo-dev 2022-07-05 10:57:34 UTC 
See https://bugs.gentoo.org/856472#c1, this is similar
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 16:17:25 UTC 
Thanks!