On Thu, Jun 19, 2025 at 09:35:25AM +0200, Rolf Eike Beer wrote: > Hi all, > > for entirely unrelated reasons I came accross CVE-2023-39902: > > > A software vulnerability has been identified in the U-Boot Secondary Program > > Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under > > certain conditions, a crafted Flattened Image Tree (FIT) format structure > > can be used to overwrite SPL memory, allowing unauthenticated software to > > execute on the target, leading to privilege escalation. > > This links to > https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-Loader-Authentication-Vulnerability-CVE/ta-p/1736196, > which links 4 > patches. The relevant one seems to me https://github.com/nxp-imx/uboot-imx/ > commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited > understanding the actual fix is the first hunk. > > A similar change has been made in 6039e0edc8540bd2a ("imx: hab: Simplify the > mechanism"), so I wonder if this is just an unnoticed instance of the very > same bug? > > Opinions?
Lets add the iMX folks.. -- Tom
signature.asc
Description: PGP signature
