Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856472 (CVE-2022-33103, CVE-2022-34835) - dev-embedded/u-boot-tools: multiple vulnerabilities
Summary: dev-embedded/u-boot-tools: multiple vulnerabilities
Alias: CVE-2022-33103, CVE-2022-34835
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ??
Depends on:
Reported: 2022-07-05 02:35 UTC by John Helmert III
Modified: 2022-07-05 16:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 02:35:57 UTC
CVE-2022-33103 (

Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir().

CVE-2022-34835 (

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.

Not sure what the impact is. Seems like there are patches available for both issues.
Comment 1 Jakov Smolić archtester gentoo-dev 2022-07-05 10:56:44 UTC
I don't think this vulnerability applies to our package, as we are not installing the bootloader, but rather just the tools (the only relevant directory for this package is I'm not sure if there have been any CVEs specifically for the tools, but I'm pretty certain this doesn't apply to the u-boot-tools package.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 16:17:38 UTC