From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E0F0DC433F5 for ; Thu, 21 Apr 2022 06:32:18 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B5ED983C58; Thu, 21 Apr 2022 08:32:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=intel.com header.i=@intel.com header.b="ETxxk0oI"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5F04383C5A; Thu, 21 Apr 2022 08:32:15 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6CA5783B9E for ; Thu, 21 Apr 2022 08:32:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=yau.wai.gan@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1650522731; x=1682058731; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=d7s2e2kJ6ns2gs7A3V7828Gn1K/FkZySBp06rs7xBEY=; b=ETxxk0oIUf8Y2k1rkKjNkwh2ZGeqBE06qXrgA1bQlcuBktzSRT7F+lcb Cq5SDGIdZyI/rDWDwvyX8i3pMnubG4Ev6Jd+CwixeR+bSLEySOhYZEkaJ F7mtV03SiStVLDPSntrk77og0yl6u1aGx+ZjypBH03pzhdSvSIQcS2LID HenVsLBwLPUUoY23CU7Kz4JTfx5w3pkZVKADD8+3RFR0BIaTVhc9d+EUA K9d18szsSfpviYbNFbOz4KHl6sEV6KPH2wsL1FPnUTcxwnF2dFNILI3PU ah2jWe3Effo3LMNvFgCimR06UwBWAxCk7XxagcDHDtOV5Z+fHYybLSkni A==; X-IronPort-AV: E=McAfee;i="6400,9594,10323"; a="251568291" X-IronPort-AV: E=Sophos;i="5.90,277,1643702400"; d="scan'208";a="251568291" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Apr 2022 23:32:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.90,277,1643702400"; d="scan'208";a="648002413" Received: from orsmsx606.amr.corp.intel.com ([10.22.229.19]) by FMSMGA003.fm.intel.com with ESMTP; 20 Apr 2022 23:32:09 -0700 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27; Wed, 20 Apr 2022 23:32:08 -0700 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.27 via Frontend Transport; Wed, 20 Apr 2022 23:32:08 -0700 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.171) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.27; Wed, 20 Apr 2022 23:31:46 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KKsvCwGHWLbSS5zVU8Gv1KVR2HcSnmVcRhneb66BjB6mWyWE7buSzTLWfz93w28YRh42Ple+qjVMJGQzrC752NOkTj0+YJJ21LC3RWb1vt+lmrP/g34Hp3hojKLB0oeY2/FtJzPL2KYxrBCrKhCgd9gnLnAhWPb5OdmnYKWItoi+qusjIal+nAHbMbJJT7JL74lBUXfBQ3claZPTp2XxYJHmjntuHc/5AP0Rbh/6JJZ/7SySHvwdeBGHl+eyw1Mzc/kAHgMS2SdTRUGxrkxT00VFfyTrHaWyhjwhpzgbvUSN0tnTPWDY5DVmuH0NR2rDgSKUN+naakF/H2DY3dyuVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d7s2e2kJ6ns2gs7A3V7828Gn1K/FkZySBp06rs7xBEY=; b=Y/IB1ajgVZmNK/6YPIgRKBTNtiONoqsly13vJljni14k/N+MgYw2wTZKWn4g7i4nmMTfxLxW25bnzlvQfTzi8JYNav3t/m1thBIOvLvtVDsJpQL9UnteVVBLaZff5x5IreNISSIviz65JZIRPcWUCV6sd/bN2vZ6hUFqiTwAPKGYBScv4JXJ1ISlvtEdmwq8UvtNlnlH42q5zKkaDPRWJum90TR2Efq/QcMT123j8GRwUWFQK31DHjVEQgWmYbmhHxmId8tfPQE3q6DhhwRuDdzStCXzanb7LhVM7jC/j2Fu88RwN1aWcnkXodS50K4CACxjpX+JPl6ZzZDgObdPJQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from PH7PR11MB5767.namprd11.prod.outlook.com (2603:10b6:510:13a::12) by BN6PR11MB1457.namprd11.prod.outlook.com (2603:10b6:405:8::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Thu, 21 Apr 2022 06:31:45 +0000 Received: from PH7PR11MB5767.namprd11.prod.outlook.com ([fe80::acf0:7664:9f4f:4c8b]) by PH7PR11MB5767.namprd11.prod.outlook.com ([fe80::acf0:7664:9f4f:4c8b%9]) with mapi id 15.20.5164.025; Thu, 21 Apr 2022 06:31:44 +0000 From: "Gan, Yau Wai" To: "u-boot@lists.denx.de" , "trini@konsulko.com" Subject: CVE-2018-25032 on u-boot zlib Thread-Topic: CVE-2018-25032 on u-boot zlib Thread-Index: AdhVR+ycHh0NHDojQCSNYIR3WCxUpw== Date: Thu, 21 Apr 2022 06:31:44 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.6.401.20 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 10218475-4460-4975-7f09-08da23609ae6 x-ms-traffictypediagnostic: BN6PR11MB1457:EE_ x-microsoft-antispam-prvs: x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ADj1M/zE1komeHLGh+gcvXXSAq74avZT0JRBYI+GFipJ6XUS5QiPfhnPhsB7AoNPAi4v6bBK8KhQbUU8CQ5uYmYEcEP3Pu4Y2BjM1gMVmKEitHL7jcxF44iniFbt2bsZUgGMGsm75feVzPV7tx1LctoZrddvhBlHO3Mn/JFhA1mNF+y1R4o/oom9BRC6j8KaSFOw6QQkapPFcjMOXMNRimVtcFQjdJRdBlywsm7Ja3COn+N8WSNfmVhFxI++AwOQFoRlm/T76CbefT4GUp0l+guA54R2iCwCznJPm9KpuV4NB1i9Xib/nFpxFpUBbSl1b2Lqx9CsWvxTomjkiJxwHQLGfdnVnYlEUD/tRQy7rF8xaBhIfmNZ2OIqy5QHu3BYpZKZoElGm+WjoacVMmXaK0fAUc4R5iMRoDJu7Xcgqlnz8nEiGXCMhgf7CgA6jC1eTz1rzk8uISYfdsNdCx/eXV0Yh64fsHfRw0OJGu1tmYXF5zf1/OyVo0k5VoDoYF8trF1um7NwaKWyl3e2e2KT2WLUmMtQ87hINs643WnRArAYzRQgobvR9iyBvc3z/1b2l+d9Fyi7F8epP4M7XK2+4CdnDnyilqG/sdCta+t9LFC3t6y3ODPygmu3lXttbJZ3aISAFVNR2pqLpNYKfK4PG/lPrstiIeLPGUF0Cod0zJKK76zMUfzjizjMUmtT4q8bRzu8MOdM6qB7+u+ToLgRYnieiySxgJDstrYmG+gSyuCpdgRrFFQPhx6ORobYnyiz3iFE73Cuhs6EEu8s6uBBwVqQgL5FoDzaM6nNY22hsZE= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH7PR11MB5767.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(2906002)(66446008)(86362001)(38100700002)(38070700005)(55016003)(66946007)(8676002)(82960400001)(76116006)(66556008)(122000001)(66476007)(5660300002)(52536014)(64756008)(4744005)(8936002)(508600001)(186003)(6506007)(966005)(26005)(33656002)(71200400001)(83380400001)(110136005)(316002)(9686003)(7696005); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?rG/E3asNH6neJXKeMk+t3elxUUN/Vh96xPIQxVGJAl7utJPlzoTB+lfjPW1M?= =?us-ascii?Q?BEOTpm4HezoQ9K+gQxrq/T9yQ1XoYkUlx4BgPv1Y7/w2P1gI++MAeNYxsXOu?= =?us-ascii?Q?UfVGCkNxe4yhKYeBg2ezkxal0BFkS/TT/tX8ZgwkICosh2LN+9oTMEiO7doG?= =?us-ascii?Q?t7sWp4SlIspjeumql6bP2P6dCvjcAif9f8C/WOBaFX0QJhRJH34QN2GjKFTA?= =?us-ascii?Q?4Ktce9f2G+yOSnoGoPgKdp7mfBfzDGvnEfp9jcJCzCBO8itYXEClIGMy6/iS?= =?us-ascii?Q?xITIAp6EZVZHD89I9SKcV+OVIPJOgKrGjNOoJ8mZY9lPbU7frWAbTo4O9OtK?= =?us-ascii?Q?qtwK6eU7i6aPw7OQOClIzrr1JfzvvSsAl0xCJjoLug0YuAw6seDO9c8WeQ4B?= =?us-ascii?Q?vwM3XWEWfp/ABZICsPjLNr2GxJub+hNMPaHEo/cDoRYz2jwy9ctKcfsWsdJC?= =?us-ascii?Q?srcjt5f1wmAY/gCqkStH0hVcLscGDOztW2FgPBd7eAEuCTdG2QmBQAyIjh3n?= =?us-ascii?Q?JjqaunYBjSiDHCe1y0xI/jPJmfQHtrKoQd1WrU9AcGNa2RQq4uUCTpGEgwUN?= =?us-ascii?Q?CK0iuZrye+6VMpsXsOlXvo9c6LE8kfLnuxUeDInrsmBJoVqVw0iVFqsELRp2?= =?us-ascii?Q?Q12OVLeRps5DTKl+wqbmZBPKyiTKwDHH759PovhUtKnz3bz0vh1XCooiN27P?= =?us-ascii?Q?cjUXvMlgCse2SHepz6QubFj3aFyTulbvtk+zQzwUFHWU6TIiFyqaZ8BQL2fE?= =?us-ascii?Q?LsXWKi+suKjDip6InEdoOo1EveeWMCyB5J+hJSFpqXgd5Ntf/HArFUN6p90x?= =?us-ascii?Q?c7f5UizJ+syUwA74Tm6dQGmrCrpHiIgYYKsL86J4wcQbBF9+ELkpsjeatlRC?= =?us-ascii?Q?A1xY6KnlFaz5M+A6zAFA7UvCxkqc7GCNaLpav7cvOFPm6ilQ/II2NcKZcFEe?= =?us-ascii?Q?Kf+HXB6nkBDSjOR5Tsa19HluHdKp1uV9ZJi+oAixVVSyQRkUnXol18XGznz1?= =?us-ascii?Q?4bv4X3eoPrqBrtRhsfBAsBfCOR6QFiDjB+28gpZxFvQtxkRPjdjAG6v6zLjP?= =?us-ascii?Q?shQ4WcRsTQytZ+XeB8I2qcixkbXDBobUNE4ongzSRz4GY/7avBOGrmFupJZ3?= =?us-ascii?Q?AxzV7sYCaDCeIf4NmNyufubk2KTNWEEOBVM7LVWMuD48mtsv+a/Qa94zzh2k?= =?us-ascii?Q?7/Lk6zS8qq88H8/GTdejcNrRgbHhQetilF73kv/cE/dPg1pI73JBw28oZlvE?= =?us-ascii?Q?hFpazp9kRH+KkcqXxbeHhPF8kfR8fyNPaJJqQ7w73zFIAq7d7Ck/zK4AQZRi?= =?us-ascii?Q?mTZ/PxJiToXngPrf7VRZ2MJM3iSG/ltK8Q8z94/1jdEbcF9+wtG3WaX9h8rW?= =?us-ascii?Q?9XfcZm+7li9z90zeTB3Zi2kHWXNpykPLFsRLkZOTTsyraHbVJeIyLMMTmchu?= =?us-ascii?Q?sA5cI64Fzg+K+QcGeBfgdM9DDWQccLr1VSOaCIqoKtAYRMOO2dZwNf3ydUT6?= =?us-ascii?Q?bLmCD5D2vYUGpVWx8+N+OBL9FITM/DT1xGeHpmYPBU/G8dSmyG/9f/QwJeXR?= =?us-ascii?Q?X+nNgzU5moY0YHPE/qQkShOrhjVI9aFDihTbT+dND9bBNrDF8ekzgG5Bybsg?= =?us-ascii?Q?49RSTeDjeOMJVUQtPifJgaZAiFuFmvxmmfpqA7z+t2ZUnmw5HER/x/jBDF57?= =?us-ascii?Q?KZiBdlzrdwAA5TRYiSr/DqrLPH3n6Qk6C/MH/WreScEQmVyZYlL9b95MWl4W?= =?us-ascii?Q?I9Sdu//hpA=3D=3D?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH7PR11MB5767.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 10218475-4460-4975-7f09-08da23609ae6 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2022 06:31:44.8195 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: aix8pWcgUgz6y2DitklyCSiKgCGxi5Rd3SiUo618cPz9R08PPZkDuow6mkO+ebxlKVXQN+nW4M/SC5oxnitGNQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1457 X-OriginatorOrg: intel.com X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This is to report that CVE is detected during u-boot scanning. Sending to o= pen mailing list as get_maintainer suggested. The current zlib version used in u-boot contains CVE-2018-25032 [1]. Corresponding fix in zlib mainline has been addressed in v1.2.12 [2]. It is required to upgrade zlib in u-boot to that version or later to mitiga= te the CVE. [1] https://www.cve.org/CVERecord?id=3DCVE-2018-25032 [2] https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8= 020c531 - Yau Wai