[PATCH v2] Fix CVE-2022-30767 (old CVE-2019-14196)

Tom Rini trini at konsulko.com
Fri May 27 15:30:14 CEST 2022


On Wed, May 18, 2022 at 04:30:08PM +0000, Andrea zi0Black Cappa wrote:

> This patch mitigates the vulnerability identified via CVE-2019-14196.
> The previous patch was bypassed/ineffective, and now the vulnerability is identified via CVE-2022-30767. The patch removes the sanity check introduced to mitigate CVE-2019-14196 since it's ineffective.
> filefh3_length is changed to unsigned type integer, preventing negative numbers from being used during comparison with positive values during size sanity checks.
> 
> Signed-off-by: Andrea zi0Black Cappa <zi0Black at protonmail.com>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220527/43ec4795/attachment.sig>


More information about the U-Boot mailing list