Source: arm-trusted-firmware X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for arm-trusted-firmware. CVE-2024-6287[0]: | Incorrect Calculation vulnerability in Renesas arm-trusted-firmware | allows Local Execution of Code. When checking whether a new image | invades/overlaps with a previously loaded image the code neglects to | consider a few cases. that could An attacker to bypass memory range | restriction and overwrite an already loaded image partly or | completely, which could result in code execution and bypass of | secure boot. https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04 https://asrg.io/security-advisories/cve-2024-6287-incorrect-address-range-calculations-in-renesas-rcar/ CVE-2024-6285[1]: | Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm- | trusted-firmware. An integer underflow in image range check | calculations could lead to bypassing address restrictions and | loading of images to unallowed addresses. https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b https://asrg.io/security-advisories/cve-2024-6285-integer-underflow-in-memory-range-check-in-renesas-rcar/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6287 https://www.cve.org/CVERecord?id=CVE-2024-6287 [1] https://security-tracker.debian.org/tracker/CVE-2024-6285 https://www.cve.org/CVERecord?id=CVE-2024-6285 Please adjust the affected versions in the BTS as needed.
