Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856472 (CVE-2022-33103, CVE-2022-34835) - dev-embedded/u-boot-tools: multiple vulnerabilities
Summary: dev-embedded/u-boot-tools: multiple vulnerabilities
Status: RESOLVED INVALID
Alias: CVE-2022-33103, CVE-2022-34835
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: ??
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-05 02:35 UTC by John Helmert III
Modified: 2022-07-05 16:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 02:35:57 UTC
CVE-2022-33103 (https://lore.kernel.org/all/20220609140206.297405-1-miquel.raynal@bootlin.com/):
https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com/

Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir().

CVE-2022-34835 (https://source.denx.de/u-boot/u-boot/-/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409):
https://lists.denx.de/pipermail/u-boot/2022-June/486113.html
https://github.com/u-boot/u-boot/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.

Not sure what the impact is. Seems like there are patches available for both issues.
Comment 1 Jakov Smolić archtester gentoo-dev 2022-07-05 10:56:44 UTC
I don't think this vulnerability applies to our package, as we are not installing the bootloader, but rather just the tools (the only relevant directory for this package is https://source.denx.de/u-boot/u-boot/-/tree/master/tools). I'm not sure if there have been any CVEs specifically for the tools, but I'm pretty certain this doesn't apply to the u-boot-tools package.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 16:17:38 UTC
Thanks!