* CVE-2018-25032 on u-boot zlib
@ 2022-04-21 6:31 Gan, Yau Wai
2022-04-21 12:11 ` Tom Rini
0 siblings, 1 reply; 2+ messages in thread
From: Gan, Yau Wai @ 2022-04-21 6:31 UTC (permalink / raw)
To: u-boot, trini
This is to report that CVE is detected during u-boot scanning. Sending to open mailing list as get_maintainer suggested.
The current zlib version used in u-boot contains CVE-2018-25032 [1].
Corresponding fix in zlib mainline has been addressed in v1.2.12 [2].
It is required to upgrade zlib in u-boot to that version or later to mitigate the CVE.
[1] https://www.cve.org/CVERecord?id=CVE-2018-25032
[2] https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
- Yau Wai
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: CVE-2018-25032 on u-boot zlib
2022-04-21 6:31 CVE-2018-25032 on u-boot zlib Gan, Yau Wai
@ 2022-04-21 12:11 ` Tom Rini
0 siblings, 0 replies; 2+ messages in thread
From: Tom Rini @ 2022-04-21 12:11 UTC (permalink / raw)
To: Gan, Yau Wai; +Cc: u-boot
[-- Attachment #1: Type: text/plain, Size: 905 bytes --]
On Thu, Apr 21, 2022 at 06:31:44AM +0000, Gan, Yau Wai wrote:
> This is to report that CVE is detected during u-boot scanning. Sending to open mailing list as get_maintainer suggested.
>
> The current zlib version used in u-boot contains CVE-2018-25032 [1].
> Corresponding fix in zlib mainline has been addressed in v1.2.12 [2].
> It is required to upgrade zlib in u-boot to that version or later to mitigate the CVE.
>
> [1] https://www.cve.org/CVERecord?id=CVE-2018-25032
> [2] https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
Please note that by default, no U-Boot binary is vulnerable to this as
we only support using the zlib deflate (so, compress a file, not
uncompress an archive) when CMD_ZIP is enabled. This is only true of
the sandbox build.
A patch to apply the fix from upstream would be most welcome, all the
same. Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-21 12:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-21 6:31 CVE-2018-25032 on u-boot zlib Gan, Yau Wai
2022-04-21 12:11 ` Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.