From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 303DFC433F5 for ; Thu, 21 Apr 2022 12:12:09 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1543E83AE6; Thu, 21 Apr 2022 14:12:06 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=konsulko.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=konsulko.com header.i=@konsulko.com header.b="Fc060V/H"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 643FE81DB4; Thu, 21 Apr 2022 14:12:03 +0200 (CEST) Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3EBE081DB4 for ; Thu, 21 Apr 2022 14:12:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=konsulko.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=trini@konsulko.com Received: by mail-qt1-x82f.google.com with SMTP id bb21so3054667qtb.3 for ; Thu, 21 Apr 2022 05:12:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=CU9ffxpOSMBUxZPAKHibFk8CbY6CQ6VUhd2+zuGIl4U=; b=Fc060V/HMYKCZMFQNIdTuQP6r/z92W5siXv7r0UKRrgCgWbUReZW+XCxPuHHA/In1F HqYz+bMHqSbbFsvTCjHQyy7c56HoPpf/l4a4iT7/bItTZkVeqsWB5loc3hbYdDr6u50O 5Ciac8ePGYX7O9A1nrd4m5famVj2h8/l+uFpw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=CU9ffxpOSMBUxZPAKHibFk8CbY6CQ6VUhd2+zuGIl4U=; b=AKfIUquscqbYkzid0cgSbe4m+knPOWguEFWSlmBprXSYz5fDYYT/hpkkDBpiC+phZg h5tl86jpotjAxD00xs0Ri67zXWqp3oEM1vFi6CzoTJyan6o1f/v5AnL9Ekv8zkAUNQNX zAXNBM/O+clFsTS2bGsLCYMv0Z1uf1U0j2B2PupmzKjeBZ+NWX+1+emFN3Ny7MRQfW0O VLN0WNbeVCjfCcnDM8DRCfEIENeOqUszJPqQYk3oDafrjouNp8OWxVQEg3n6wPG/W1Qu UW2a0tI0gPqs9OGFiVOeLtBaq93LiSRLSLmSgi+3knQPb2CC1imCki5FU4124PYM9QIb msTQ== X-Gm-Message-State: AOAM533ww03De2NdXke1dxl+g/fVWOwFWZpJR64bvf+33s+OIYhAhajv dBqsU+wwNKIoP332qWrCnL2ZYOGBRmTKsA== X-Google-Smtp-Source: ABdhPJzwlAE04InJUDUzQoGNH281OOnzGZNd0exA3+5gqfnOEzOE4pjqOpe7tT6Jcr1CT22IQdlFsA== X-Received: by 2002:a05:622a:1747:b0:2f1:f628:8130 with SMTP id l7-20020a05622a174700b002f1f6288130mr15961177qtk.383.1650543118403; Thu, 21 Apr 2022 05:11:58 -0700 (PDT) Received: from bill-the-cat (2603-6081-7b01-cbda-2ef0-5dff-fedb-a8ba.res6.spectrum.com. [2603:6081:7b01:cbda:2ef0:5dff:fedb:a8ba]) by smtp.gmail.com with ESMTPSA id t80-20020a37aa53000000b0069ec218b786sm2780339qke.126.2022.04.21.05.11.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Apr 2022 05:11:57 -0700 (PDT) Date: Thu, 21 Apr 2022 08:11:55 -0400 From: Tom Rini To: "Gan, Yau Wai" Cc: "u-boot@lists.denx.de" Subject: Re: CVE-2018-25032 on u-boot zlib Message-ID: <20220421121155.GX3045430@bill-the-cat> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jRVuaM4kMZyzPyLG" Content-Disposition: inline In-Reply-To: X-Clacks-Overhead: GNU Terry Pratchett X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean --jRVuaM4kMZyzPyLG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 21, 2022 at 06:31:44AM +0000, Gan, Yau Wai wrote: > This is to report that CVE is detected during u-boot scanning. Sending to= open mailing list as get_maintainer suggested. >=20 > The current zlib version used in u-boot contains CVE-2018-25032 [1]. > Corresponding fix in zlib mainline has been addressed in v1.2.12 [2]. > It is required to upgrade zlib in u-boot to that version or later to miti= gate the CVE. >=20 > [1] https://www.cve.org/CVERecord?id=3DCVE-2018-25032 > [2] https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615= f8020c531 Please note that by default, no U-Boot binary is vulnerable to this as we only support using the zlib deflate (so, compress a file, not uncompress an archive) when CMD_ZIP is enabled. This is only true of the sandbox build. A patch to apply the fix from upstream would be most welcome, all the same. Thanks! --=20 Tom --jRVuaM4kMZyzPyLG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmJhSgUACgkQFHw5/5Y0 tywreAv/UXQVvKOHPMjyjm+ZI8bkfF652oWCbwxujIF/WJkUXDwYgYgCFLwKkwfr At0neGcRO41VrOIEFXEjFPdFD04IU6qJYHcqtQOsv/e8wOjMOtfX179nGx1t4jXb fykCyH0BA5YY9xlhto2mkMTDsKBQbAZ0cDA4Rbp5Kd8EvyiIygEp7i5kXYHQS64p mV2eb6N0BPJAb77oZtgFtBu2luINGf9OoTf95JZjTQN75tUzNmXZqLdTK5ZDjU7T 7Pxiz5kqUQiSOkVoe5rpRvQ/E3Y2UkbowlykQNyUHmeJcEX27vtC0LdpPySnRkdM /B6lHL1hUNJw870sJREPHIGMxuOF0B96WJPkmI5TIRiSXX6R77b9ipiBf+pIYiuG KMX+l8k94ZmF1/9GPttfRi8iPg6wzulVDmQrp0dd8ocn9NJ7iT3moQGFLKn5s4YV OggvJtr8NOWoz9PBHxgkmQTlkViiSSxNuZpstBzIjew3YSWHKtG4vvdsumYehL+u hxYBWCRw =entu -----END PGP SIGNATURE----- --jRVuaM4kMZyzPyLG--