| Summary: | u-boot new security issues CVE-2018-18439, CVE-2018-18440 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Olivier Blin <mageia> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | mageia, marja11, pterjan, rihoward1, thierry.vignaud |
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | u-boot-20180507-3.mga7.src.rpm | CVE: | |
| Status comment: | Fixed upstream in 2019.04 | ||
| Bug Depends on: | 26358 | ||
| Bug Blocks: | |||
|
Description
David Walser
2018-11-02 13:59:14 CET
David Walser
2018-11-02 13:59:25 CET
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
mageia May not be a real issue. SUSE says: We don't use fit (or any verified boot) in any of our distros with U-Boot, so I guess this doesn't affect us. Debian says: No security impact as supported/packaged in Debian Status comment:
(none) =>
Not fixed upstream as of end of 2018
David Walser
2019-06-23 19:31:31 CEST
Whiteboard:
MGA6TOO =>
MGA7TOO, MGA6TOO
David Walser
2020-03-18 23:29:21 CET
Depends on:
(none) =>
26358
Nicolas Lécureuil
2020-05-22 14:08:41 CEST
CC:
(none) =>
mageia U-Boot 2020.10 is released upstream.
Nicolas Lécureuil
2020-12-26 19:57:25 CET
Version:
Cauldron =>
7
David Walser
2020-12-26 20:31:39 CET
Whiteboard:
(none) =>
MGA7TOO should this have to be kept open if "not a real issue" for every distro ? :-) Only for two. I don't know enough about this software or how we use/package it in Mageia to know if it impacts us or not. Maybe Pascal, Thierry, or Olivier know? CC:
(none) =>
pterjan, thierry.vignaud This was fixed in the uboot/master in July 2018 so is included in any official uboot release after that date. https://lists.denx.de/pipermail/u-boot/2018-July/334277.html Any how it is my understanding it is irrelevant to Mageia ARM 32 bit builds as FIT (flattened image tree) is not used but FDT (flattened device tree) is. CC:
(none) =>
rihoward1 Upstream advisory says fixed in 2019.04. I don't see anything about it being specific to ARM or FIT. Version:
Cauldron =>
7 David Walser You have to scroll down in the original openwall link to the over verbose message at openwall and you will see the reference to the original email which refers to FIT. The actual code for the fix is at https://lists.denx.de/pipermail/u-boot/2018-June/331095.html which was applied in July 2018 to uboot/master. Mageia only supports uboot on ARM. That's certainly not clear. There's no mention of FIT (other than those letters in that order being used in filenames in the PoC) and we have the u-boot packages on Intel, and the package description says that it supports x86. It is clear if you have a knowledge of uboot code and have been using it for over a decade and read much of the source code. David which Intel boards does Mageia support that uses uboot instead of bios? I'm just the security guy, I can't be expected to have intimate knowledge of 10,000 packages, but I do my best to learn from those who know. So I take it that u-boot is used for creating firmwares, from what you're saying. Is our package hobbled in some way that it doesn't support x86 like upstream does? Whether you would run Mageia on a system for which you create a firmware is probably irrelevant. https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Resolution:
(none) =>
OLD |