Bug 856472 (CVE-2022-33103, CVE-2022-34835)

Summary:	dev-embedded/u-boot-tools: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	embedded, jsmolic
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	??
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2022-07-05 02:35:57 UTC

CVE-2022-33103 (https://lore.kernel.org/all/20220609140206.297405-1-miquel.raynal@bootlin.com/):
https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com/

Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir().

CVE-2022-34835 (https://source.denx.de/u-boot/u-boot/-/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409):
https://lists.denx.de/pipermail/u-boot/2022-June/486113.html
https://github.com/u-boot/u-boot/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.

Not sure what the impact is. Seems like there are patches available for both issues.

Comment 1 Jakov Smolić archtester

2022-07-05 10:56:44 UTC

I don't think this vulnerability applies to our package, as we are not installing the bootloader, but rather just the tools (the only relevant directory for this package is https://source.denx.de/u-boot/u-boot/-/tree/master/tools). I'm not sure if there have been any CVEs specifically for the tools, but I'm pretty certain this doesn't apply to the u-boot-tools package.

Comment 2 John Helmert III archtester

2022-07-05 16:17:38 UTC

Thanks!