CVE-2022-33103 (https://lore.kernel.org/all/20220609140206.297405-1-miquel.raynal@bootlin.com/): https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com/ Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir(). CVE-2022-34835 (https://source.denx.de/u-boot/u-boot/-/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409): https://lists.denx.de/pipermail/u-boot/2022-June/486113.html https://github.com/u-boot/u-boot/commit/8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function. Not sure what the impact is. Seems like there are patches available for both issues.
I don't think this vulnerability applies to our package, as we are not installing the bootloader, but rather just the tools (the only relevant directory for this package is https://source.denx.de/u-boot/u-boot/-/tree/master/tools). I'm not sure if there have been any CVEs specifically for the tools, but I'm pretty certain this doesn't apply to the u-boot-tools package.
Thanks!