On Sat Dec 21, 2024 at 12:03 AM CET, Vagrant Cascadian wrote:
> On 2024-12-20, Diederik de Haas wrote:
> > On Tue Jul 09, 2024 at 22:10 CEST, Salvatore Bonaccorso wrote:
> >> The following vulnerabilities were published for arm-trusted-firmware.
> >>
> >> CVE-2024-6564[1]:
> >> | Buffer overflow in "rcar_dev_init" due to using due to using
> >> | untrusted data (rcar_image_number) as a loop counter before
> >> | verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full
> >> | bypass of secure boot.
> >
> > Fixed in tag v2.11-rc0 in commit:
> > b469880e3b6b ("fix(rcar3-drivers): check "rcar_image_number" variable
> > before use")
> ...
> > I've only/quickly checked the latter CVE and the offending code has been
> > present since tag v2.1-rc0 via commit:
> > c2f286820471 ("rcar_gen3: drivers: io [emmc/mem]")
> >
> > I just checked the upstream lts-2.8 branch and the issue is still
> > present in tag lts-v2.8.26 (AFAICT the Debian package is at 2.8.0).
> > There's quite a high chance it's also present in oldstable.
>
> Present in the source code, perhaps, but not in shipped binaries in the
> .deb! The rcar/renesas platform was not added to debian's
> arm-trusted-firmware packages until version 2.9.0+dfsg-1.Excellent, so we just need to update the package in Unstable then. FTR: the problem is also present upstream in lts-v2.10.10. I'm not going to do anything with it, but if someone feels inclined, they could inform upstream about it. > Thanks for noting the upstream commits fixing the issue! You're welcome. I find tracebility important and useful :-) Did that with my kernel work too, but it doesn't seem to have inspired others ;-P Cheers, Diederik
signature.asc
Description: PGP signature
