Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

U-Boot tools: double free vulnerability — GLSA 202405-23

A vulnerability has been discovered in U-Boot tools which can lead to execution of arbitary code.

Affected packages

Package dev-embedded/u-boot-tools on all architectures
Affected versions < 2020.04
Unaffected versions >= 2020.04

Background

U-Boot tools provides utiiities for working with Das U-Boot.

Description

A vulnerability has been discovered in U-Boot tools. Please review the CVE identifier referenced below for details.

Impact

In Das U-Boot a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All U-Boot tools users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-embedded/u-boot-tools-2020.04"

References

Release date
May 08, 2024

Latest revision
May 08, 2024: 1

Severity
normal

Exploitable
remote

Bugzilla entries