Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3076904.RxA6XjA2Nv@anvil>
Date: Mon, 17 Feb 2025 14:44:54 +0100
From: Richard Weinberger <richard@...ma-star.at>
To: oss-security@...ts.openwall.com
Subject: Multiple Vulnerabilities in U-Boot

## Summary

- *Identifier:*                   sigma-star-sa-2024-002
- *Vendor:*                       -
- *Product/Software:*             [U-Boot](https://source.denx.de/u-boot)
- *Affected versions:*            <= 2024.10
- *Fixed versions:*               v2025.01-rc1
- *CVE IDs:*                      CVE-2024-57254, CVE-2024-57255, CVE-2024-57256, CVE-2024-57257, CVE-2024-57258, CVE-2024-57259

## Affected Product and Vendor

> U-Boot, a boot loader for Embedded boards based on PowerPC, ARM,
> MIPS and several other processors, which can be installed in a boot
> ROM and used to initialize and test the hardware or to download
> and run application code.

Source: https://source.denx.de/u-boot/u-boot/-/blob/master/README

## Description

Multuple vulnerabilities have been found in U-Boot:

- CVE-2024-57254: Integer overflow in U-Boot’s SquashFS symlink size calculation function
- CVE-2024-57255: Integer overflow in U-Boot’s SquashFS symlink resolution function
- CVE-2024-57256: Integer overflow in U-Boot’s ext4 symlink resolution function
- CVE-2024-57257: Stack overflow in U-Boot’s SquashFS symlink resolution function
- CVE-2024-57258: Multiple integer overflows in U-Boot’s memory allocator
- CVE-2024-57259: Heap corruption in U-Boot’s SquashFS directory listing function

## Impact

An attacker capable of modifying ext4 or SquashFS filesystem data structures
can exploit multiple memory corruption vulnerabilities in U-Boot.
For systems that rely on verified boot, these vulnerabilities allow an attacker
to bypass the chain of trust and achieve code execution by exploiting these
issues.
CVE-2024-57258 may also be exploited in U-Boot through other subsystems than ext4 or SquashFS.

## Mitigation

Upgrade to version v2025.01-rc1 or newer.

## Patches

- https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d
- https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356
- https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9
- https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34
- https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3
- https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f
- https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0
- https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e

## Credits

- Richard Weinberger ([sigma star gmbh](https://sigma-star.at)
- David Gstir ([sigma star gmbh](https://sigma-star.at)

-- 
​​​​​sigma star gmbh | Eduard-Bodem-Gasse 6, 6020 Innsbruck, AUT UID/VAT Nr:
ATU 66964118 | FN: 374287y

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.