An advisory has been issued today (November 2): https://www.openwall.com/lists/oss-security/2018/11/02/2 A fix doesn't appear to be available yet. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => mageiaCC: (none) => marja11
May not be a real issue. SUSE says: We don't use fit (or any verified boot) in any of our distros with U-Boot, so I guess this doesn't affect us. Debian says: No security impact as supported/packaged in Debian
Status comment: (none) => Not fixed upstream as of end of 2018
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Depends on: (none) => 26358
CC: (none) => mageiaWhiteboard: MGA7TOO, MGA6TOO => MGA7TOO
U-Boot 2020.10 is released upstream.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Whiteboard: (none) => MGA7TOOVersion: 7 => Cauldron
should this have to be kept open if "not a real issue" for every distro ? :-)
Only for two. I don't know enough about this software or how we use/package it in Mageia to know if it impacts us or not. Maybe Pascal, Thierry, or Olivier know?
CC: (none) => pterjan, thierry.vignaud
This was fixed in the uboot/master in July 2018 so is included in any official uboot release after that date. https://lists.denx.de/pipermail/u-boot/2018-July/334277.html Any how it is my understanding it is irrelevant to Mageia ARM 32 bit builds as FIT (flattened image tree) is not used but FDT (flattened device tree) is.
CC: (none) => rihoward1
Upstream advisory says fixed in 2019.04. I don't see anything about it being specific to ARM or FIT.
Version: Cauldron => 7Status comment: Not fixed upstream as of end of 2018 => Fixed upstream in 2019.04Whiteboard: MGA7TOO => (none)
David Walser You have to scroll down in the original openwall link to the over verbose message at openwall and you will see the reference to the original email which refers to FIT. The actual code for the fix is at https://lists.denx.de/pipermail/u-boot/2018-June/331095.html which was applied in July 2018 to uboot/master. Mageia only supports uboot on ARM.
That's certainly not clear. There's no mention of FIT (other than those letters in that order being used in filenames in the PoC) and we have the u-boot packages on Intel, and the package description says that it supports x86.
It is clear if you have a knowledge of uboot code and have been using it for over a decade and read much of the source code. David which Intel boards does Mageia support that uses uboot instead of bios?
I'm just the security guy, I can't be expected to have intimate knowledge of 10,000 packages, but I do my best to learn from those who know. So I take it that u-boot is used for creating firmwares, from what you're saying. Is our package hobbled in some way that it doesn't support x86 like upstream does? Whether you would run Mageia on a system for which you create a firmware is probably irrelevant.
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Resolution: (none) => OLDStatus: NEW => RESOLVED