Source: arm-trusted-firmware
Version: 2.10.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerabilities were published for arm-trusted-firmware.
CVE-2024-6563[0]:
| Buffer Copy without Checking Size of Input ('Classic Buffer
| Overflow') vulnerability in Renesas arm-trusted-firmware allows
| Local Execution of Code. This vulnerability is associated with
| program files https://github.Com/renesas-rcar/arm-trusted-
| firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i...
| https://github.Com/renesas-rcar/arm-trusted-
| firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .
| In line 313 "addr_loaded_cnt" is checked not to be
| "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the
| function. Immediately after (line 317) there will be an overflow in
| the buffer and the value of "dst" will be written to the area
| immediately after the buffer, which is "addr_loaded_cnt". This will
| allow an attacker to freely control the value of "addr_loaded_cnt"
| and thus control the destination of the write immediately after
| (line 318). The write in line 318 will then be fully controlled by
| said attacker, with whichever address and whichever value ("len")
| they desire.
CVE-2024-6564[1]:
| Buffer overflow in "rcar_dev_init" due to using due to using
| untrusted data (rcar_image_number) as a loop counter before
| verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full
| bypass of secure boot.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6563
https://www.cve.org/CVERecord?id=CVE-2024-6563
[1] https://security-tracker.debian.org/tracker/CVE-2024-6564
https://www.cve.org/CVERecord?id=CVE-2024-6564
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
