[U-Boot] Remote code execution vulnerabilities in U-Boot's NFS and other IP parsing code

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Tue Jul 23 09:10:17 UTC 2019


On Tue, Jul 23, 2019 at 1:09 AM Fermín Serna <fermin at semmle.com> wrote:
>
> Hello,
>
> Find attached more information about 13 vulnerabilities we found at
> U-Boot and its NFS and networking code. Also, find attached a proposed
> quick patch that should serve as a first initial one and should
> probably go through iterations of code review.
>
> Please note, these vulnerabilities are not patched yet at the source
> repository. Tom Rini (U-boot's master custodian) requested the
> attached report to be published at this mailing list. At this time,
> and because of this email, we consider these vulnerabilities public.

Would you mind sending the patch again as plain text mail so it can undergo a
proper review process on this list?

Regards,
Simon

>
> For reference, MITRE has issued CVEs for the vulnerabilities:
> CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195,
> CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199,
> CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and
> CVE-2019-14204
>
> Best regards,
> --
> Fermin
> Semmle Security Research Team
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot


More information about the U-Boot mailing list