Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 850643 (CVE-2022-30552, CVE-2022-30790) - dev-embedded/u-boot-tools: multiple vulnerabilities
Summary: dev-embedded/u-boot-tools: multiple vulnerabilities
Status: RESOLVED INVALID
Alias: CVE-2022-30552, CVE-2022-30790
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://research.nccgroup.com/2022/06...
Whiteboard: B2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-08 15:50 UTC by John Helmert III
Modified: 2022-07-05 16:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-08 15:50:22 UTC
CVE-2022-30552:

Das U-Boot 2022.01 has a Buffer Overflow.

CVE-2022-30790:

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552.

According to the advisory, patches exist and were posted to the u-boot
mailing list on May 26, but may not be in upstream git yet. There's
also been a writeup of the vulnerabilities on that list since May
18. Of course, none of this is referenced by the CVEs.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-08 18:56:00 UTC
Original advisory: https://lists.denx.de/pipermail/u-boot/2022-May/484383.html
CVE-2022-30767 patch: https://lists.denx.de/pipermail/u-boot/2022-May/484386.html

I can't seem to find a patch for the other CVE.
Comment 2 Jakov Smolić archtester gentoo-dev 2022-07-05 10:57:34 UTC
See https://bugs.gentoo.org/856472#c1, this is similar
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 16:17:25 UTC
Thanks!