[EXT] Re: Was plain U-Boot affected by CVE-2023-39902?

[Ye Li]

It is same bug also resolved by 6039e0edc8540bd2a ("imx: hab:Simplify the mechanism"). 
NXP Downstream uses different implementation with upstream.

Best regards,
Ye Li
> -----Original Message-----
> From: Tom Rini <trini at konsulko.com>
> Sent: Monday, June 23, 2025 11:14 PM
> To: Rolf Eike Beer <eb at emlix.com>; Stefano Babic <sbabic at nabladev.com>;
> Fabio Estevam <festevam at gmail.com>; dl-uboot-imx <uboot-imx at nxp.com>;
> Peng Fan <peng.fan at nxp.com>
> Cc: u-boot at lists.denx.de
> Subject: [EXT] Re: Was plain U-Boot affected by CVE-2023-39902?
> 
> On Thu, Jun 19, 2025 at 09:35:25AM +0200, Rolf Eike Beer wrote:
> > Hi all,
> >
> > for entirely unrelated reasons I came accross CVE-2023-39902:
> >
> > > A software vulnerability has been identified in the U-Boot Secondary
> > > Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family
> > > processors. Under certain conditions, a crafted Flattened Image Tree
> > > (FIT) format structure can be used to overwrite SPL memory, allowing
> > > unauthenticated software to execute on the target, leading to privilege
> escalation.
> >
> > This links to
> > https://community.nxp.com/t5/i-MX-Security/U-Boot-Secondary-Program-
> Lo
> > ader-Authentication-Vulnerability-CVE/ta-p/1736196, which links 4
> > patches. The relevant one seems to me
> > https://github.com/nxp-imx/uboot-imx/
> > commit/0746cfd931de8f7591d263ff60dd806ffe23c093, and for my limited
> > understanding the actual fix is the first hunk.
> >
> > A similar change has been made in 6039e0edc8540bd2a ("imx: hab:
> > Simplify the mechanism"), so I wonder if this is just an unnoticed
> > instance of the very same bug?
> >
> > Opinions?
> 
> Lets add the iMX folks..
> 
> --
> Tom