Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2715068.vYEEZNnvjD@anvil>
Date: Mon, 17 Feb 2025 14:44:48 +0100
From: Richard Weinberger <richard@...ma-star.at>
To: oss-security@...ts.openwall.com
Subject: Multiple Vulnerabilities in Barebox

## Summary

- *Identifier:*                   sigma-star-sa-2024-003
- *Vendor:*                       -
- *Product/Software:*             [Barebox](https://barebox.org)
- *Affected versions:*            < v2025.01.0
- *Fixed versions:*               v2025.01.0
- *CVE IDs:*                      CVE-2024-57260, CVE-2024-57261, CVE-2024-57262

## Affected Product and Vendor

> barebox is a bootloader designed for embedded systems.
> It runs on a variety of architectures including x86, ARM, MIPS, RISC-V and
> others.  barebox aims to be a versatile and flexible bootloader, not only
> for booting embedded Linux systems, but also for initial hardware bringup
> and development.  barebox is highly configurable to be suitable as a full-
> featured development binary as well as for lean production systems.
> Just like busybox is the Swiss Army Knife for embedded Linux,
> barebox is the Swiss Army Knife for bare metal, hence the name.

Source: https://barebox.org/

## Description

Multuple vulnerabilities have been found in Barebox:

- CVE-2024-57260: Multiple vulnerabilities in Barebox’s SquashFS due to missing patches from Linux
- CVE-2024-57261: Integer overflow in Barebox’s memory allocator
- CVE-2024-57262: Integer overflow in Barebox’s SquashFS symlink resolution function

## Impact

An attacker capable of modifying ext4 or SquashFS filesystem data structures
can exploit multiple memory corruption vulnerabilities in Barebox.
For systems that rely on verified boot, these vulnerabilities allow an attacker
to bypass the chain of trust and achieve code execution by exploiting these
issues.
CVE-2024-57261 may also be exploited in Barebox through other subsystems than ext4 or SquashFS.

## Mitigation

Upgrade to version v2025.01.0 or newer.

## Patches

- https://git.pengutronix.de/cgit/barebox/commit/?id=ced445748477037e88f118b6d67409e0f3f2ea76
- https://git.pengutronix.de/cgit/barebox/commit/?id=12c3770203e2b264a796b43a54c6dd5f9fe3d2f0
- https://git.pengutronix.de/cgit/barebox/commit/?id=efe52dae380ab1e0bfdc2ee1575cf95da7061d99
- https://git.pengutronix.de/cgit/barebox/commit/?id=b8bd710ec1c90d032a461d57e522a8f985809278
- https://git.pengutronix.de/cgit/barebox/commit/?id=f034651371945a66069c2e9ff5a711211f650d0d
- https://git.pengutronix.de/cgit/barebox/commit/?id=7cf25e0733f08f68d1bf0ca0c3cf6e2dfe51bd3c
- https://git.pengutronix.de/cgit/barebox/commit/?id=a2b76550f7d87ba6f88a9ea50e71f107b514ff4e


## Credits

- Richard Weinberger ([sigma star gmbh](https://sigma-star.at)
- David Gstir ([sigma star gmbh](https://sigma-star.at)

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.