ZDI-CAN-24679: New Vulnerability Report
Tony Dinh
mibodhi at gmail.com
Thu Nov 14 21:18:49 CET 2024
Hi Tom,
Hi Stefan,
On Thu, Nov 14, 2024 at 8:33 AM Tom Rini <trini at konsulko.com> wrote:
>
> On Thu, Nov 14, 2024 at 04:07:15PM +0100, Michal Simek wrote:
>
> > Hi,
> >
> > On 11/14/24 15:56, Tom Rini wrote:
> > > On Thu, Nov 14, 2024 at 04:02:29AM +0000, zdi-disclosures at trendmicro.com wrote:
> > >
> > > > Hi,
> > > > Do you have any updates to share regarding this vulnerability report?
> > >
> > > Michal, microblaze-generic is the most active platform that enables
> > > FS_JFFS2 by default and so vulnerable here. Can you find some resources
> > > to look in to fixing this please? Thanks.
> >
> > We have actually discussed this recently and we have other issues with jffs2
> > and not going to fix it or recommend to use it.
> > JFFS2 should be removed from our configs and it is also not under our regression.
>
> Ah OK, thanks. Adding a few more maintainers now then.
Does this affect only boards that explicitly use CMD_JFFS2? how about
boards that have not been converted to bootstd and still use "nand
read" like this:
include/configs/openrd.h
#define CFG_EXTRA_ENV_SETTINGS "x_bootargs=console=ttyS0,115200 " \
CONFIG_MTDPARTS_DEFAULT " rw ubi.mtd=2,2048\0" \
"x_bootcmd_kernel=nand read 0x6400000 0x100000 0x300000\0" \
All the best,
Tony
More information about the U-Boot
mailing list