On 2024-12-20, Diederik de Haas wrote:
> On Wed Dec 18, 2024 at 12:02 PM CET, Robin Jarry wrote:
>> The following vulnerabilities were published for arm-trusted-firmware.
>>
>> CVE-2024-6563[0]:
>> | Buffer Copy without Checking Size of Input ('Classic Buffer
>> | Overflow') vulnerability in Renesas arm-trusted-firmware allows
>> | Local Execution of Code.racker are useful, so thanks for that :-)
...
> Fixed in tag v2.11-rc0 in commit:
> ae4860b0f5c2 ("fix(rcar3-drivers): check loaded NS image area")
>
>> CVE-2024-6564[1]:
>> | Buffer overflow in "rcar_dev_init" due to using due to using
>> | untrusted data (rcar_image_number) as a loop counter before
>> | verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full
>> | bypass of secure boot.
>
> Fixed in tag v2.11-rc0 in commit:
> b469880e3b6b ("fix(rcar3-drivers): check "rcar_image_number" variable before
> use")
...
> I've only/quickly checked the latter CVE and the offending code has been
> present since tag v2.1-rc0 via commit:
> c2f286820471 ("rcar_gen3: drivers: io [emmc/mem]")
>
> I just checked the upstream lts-2.8 branch and the issue is still
> present in tag lts-v2.8.26 (AFAICT the Debian package is at 2.8.0).
> There's quite a high chance it's also present in oldstable.Present in the source code, perhaps, but not in shipped binaries in the .deb! The rcar/renesas platform was not added to debian's arm-trusted-firmware packages until version 2.9.0+dfsg-1. Thanks for noting the upstream commits fixing the issue! live well, vagrant
signature.asc
Description: PGP signature
