Security vulnerabilities report to Das-U-Boot

Jonathan Bar Or jonathanbaror at gmail.com
Sun Feb 23 07:47:45 AEDT 2025 

Hello Tom and team,

Looks like all of the issues were fixed and merged - am I correct?
I intend to make a public disclosure March 19th, is that okay?

Best,
       Jonathan

On Fri, Feb 14, 2025 at 7:24 PM Jonathan Bar Or <jonathanbaror at gmail.com> wrote:
>
> Please disregard the previous message, those are the actual CVE numbers:
>
> - CVE-2025-26726 :SquashFS directory table parsing buffer overflow
> - CVE-2025-26727: SquashFS inode parsing buffer overflow.
> - CVE-2025-26728: SquashFS nested file reading buffer overflow.
> - CVE-2025-26729: EroFS symlink resolution buffer overflow.
>
> Best regards,
>            Jonathan
>
>
> On Fri, Feb 14, 2025 at 7:17 PM Jonathan Bar Or <jonathanbaror at gmail.com> wrote:
> >
> > Hi folks.
> >
> > Here are the CVEs assigned by MITRE:
> > - CVE-2025-26721: buffer overflow in the persistent storage for file creation
> > - CVE-2025-26722: buffer overflow in SquashFS symlink resolution
> > - CVE-2025-26723: buffer overflow in EXT4 symlink resolution
> > - CVE-2025-26724: buffer overflow in CramFS symlink resolution
> > - CVE-2025-26724: buffer overflow in JFFS2 dirent parsing
> >
> > Best regards,
> >            Jonathan
> >
> > On Wed, Feb 12, 2025 at 12:24 AM Miquel Raynal
> > <miquel.raynal at bootlin.com> wrote:
> > >
> > > Hello Tom,
> > >
> > > On 11/02/2025 at 15:29:09 -06, Tom Rini <trini at konsulko.com> wrote:
> > >
> > > > On Tue, Feb 11, 2025 at 08:26:37AM -0800, Jonathan Bar Or wrote:
> > > >> Hi Tom and the rest of the team,
> > > >>
> > > >> Please let me know about fix time, whether this is acknowledged and
> > > >> whether you're going to request CVE IDs for those or if I should do
> > > >> it.
> > > >> The reason is that I found similar issues in other bootloaders, so I'm
> > > >> trying to synchronize all of them. For what it's worth, Barebox has
> > > >> similar issues and are currently fixing.
> > > >
> > > > Yes, these seem valid. We don't have a CVE requesting authority so if
> > > > you want them, go ahead and request them. You saw Gao Xiang's response
> > > > for erofs, and I'm hoping one of the squashfs maintainers will chime
> > > > in.
> > >
> > > Either João or me, we will have a look.
> > >
> > > Thanks,
> > > Miquèl

More information about the Linux-erofs mailing list