Bug 26358 - u-boot new security issues CVE-2020-8432 and CVE-2020-10648
Summary: u-boot new security issues CVE-2020-8432 and CVE-2020-10648
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Olivier Blin
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 23799
  Show dependency treegraph
 
Reported: 2020-03-18 23:29 CET by David Walser
Modified: 2021-07-01 18:22 CEST (History)
2 users (show)

See Also:
Source RPM: u-boot-20180507-4.mga8.src.rpm
CVE:
Status comment: Patches proposed upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-03-18 23:29:02 CET 
A security issue in u-boot has been announced today (March 18):
https://www.openwall.com/lists/oss-security/2020/03/18/5

Proposed patches have been linked from the end of the message above.

Mageia 7 is also affected.
David Walser 2020-03-18 23:29:21 CET

Blocks: (none) => 23799
Status comment: (none) => Patches proposed upstream
Whiteboard: (none) => MGA7TOO

Comment 1 r howard 2020-04-14 09:53:13 CEST 
U-Boot v2020.04 released: https://lists.denx.de/pipermail/u-boot/2020-April/406522.html
It should include fixes related to CVE-2020-10648

CC: (none) => rihoward1

Comment 2 Aurelien Oudelet 2020-10-06 16:27:52 CEST 
U-Boot 2020.10 is released upstream.
Comment 3 David Walser 2020-11-06 00:41:08 CET 
SUSE has issued an advisory for this today (November 5):
https://lists.suse.com/pipermail/sle-security-updates/2020-November/007704.html

It also fixes a new issue.

Summary: u-boot new security issue CVE-2020-10648 => u-boot new security issues CVE-2020-8432 and CVE-2020-10648

Comment 4 David Walser 2020-11-11 00:47:14 CET 
openSUSE has issued an advisory for this on November 7:
https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00030.html
Comment 5 David Walser 2020-12-28 12:55:44 CET 
This was the commit:
https://build.opensuse.org/request/show/846438

That was in the 15.2 branch:
https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/u-boot

The 15.1 branch fixed these CVEs and several others:
https://build.opensuse.org/package/show/openSUSE:Leap:15.1:Update/u-boot

"Fix CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817),
CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821),
CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), 
CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830),
CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818),
CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819),
CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463),
CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853),
CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209)

Patch queue updated from git://github.com/openSUSE/u-boot.git sle15-sp1
* Patches added:
  0018-CVE-net-fix-unbounded-memcpy-of-UDP.patch
  0019-CVE-nfs-fix-stack-based-buffer-over.patch
  0020-CVE-2019-14194-CVE-2019-14198-nfs-f.patch
  0021-CVE-2019-14195-nfs-fix-unbounded-me.patch
  0022-CVE-2019-14196-nfs-fix-unbounded-me.patch
  0023-CVE-2019-13103-disk-stop-infinite-r.patch
  0024-cmd-gpt-Address-error-cases-during-.patch
  0025-Fix-ext4-block-group-descriptor-siz.patch
  0026-lib-uuid-Fix-unseeded-PRNG-on-RANDO.patch
  0027-image-Check-hash-nodes-when-checkin.patch
  0028-image-Load-the-correct-configuratio.patch"

from:
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.1:Update/u-boot/u-boot.changes?expand=1
Comment 6 Nicolas Lécureuil 2021-01-06 18:51:55 CET 
from :
https://security-tracker.debian.org/tracker/CVE-2020-8432
and
https://security-tracker.debian.org/tracker/CVE-2020-10648

it is fixed in 2020.10

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

Comment 7 David Walser 2021-07-01 18:22:46 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.