Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771555 - <dev-embedded/u-boot-tools-2021.04_rc2: multiple vulnerabilities (CVE-2021-{27097,27138})
Summary: <dev-embedded/u-boot-tools-2021.04_rc2: multiple vulnerabilities (CVE-2021-{2...
Status: CONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ?? [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-19 04:52 UTC by John Helmert III
Modified: 2021-02-24 21:11 UTC (History)
1 user (show)

See Also:
Package list:
dev-embedded/u-boot-tools-2021.04_rc2 *
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-19 04:52:07 UTC
CVE-2021-27097:

The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.

Patches: https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b
https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01

CVE-2021-27138:

The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.

Patches: https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917


I'm not sure about the impact of these, but there are patches so we might be able to backport them if necessary.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-19 08:18:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4f8e821f7c750d3db6e6828a8cd70dc272c4dbd

commit f4f8e821f7c750d3db6e6828a8cd70dc272c4dbd
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2021-02-19 08:17:03 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2021-02-19 08:18:51 +0000

    dev-embedded/u-boot-tools: bump up to 2020.04-r2
    
    Bug: https://bugs.gentoo.org/771555
    Closes: https://bugs.gentoo.org/745117
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 dev-embedded/u-boot-tools/Manifest                 |  1 +
 .../u-boot-tools/u-boot-tools-2021.04_rc2.ebuild   | 76 ++++++++++++++++++++++
 2 files changed, 77 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-02-19 15:06:25 UTC
Thank you! Let's stabilize if it's suitable.

Slyfox: can you offer input on the impact of these?