Security vulnerabilities report to Das-U-Boot

Tom Rini trini at konsulko.com
Wed Feb 26 04:59:18 AEDT 2025 

On Sat, Feb 22, 2025 at 12:47:45PM -0800, Jonathan Bar Or wrote:

> Hello Tom and team,
> 
> Looks like all of the issues were fixed and merged - am I correct?
> I intend to make a public disclosure March 19th, is that okay?

Yes, I've merged all of the patches I'm aware of at this point.

> 
> Best,
>        Jonathan
> 
> On Fri, Feb 14, 2025 at 7:24 PM Jonathan Bar Or <jonathanbaror at gmail.com> wrote:
> >
> > Please disregard the previous message, those are the actual CVE numbers:
> >
> > - CVE-2025-26726 :SquashFS directory table parsing buffer overflow
> > - CVE-2025-26727: SquashFS inode parsing buffer overflow.
> > - CVE-2025-26728: SquashFS nested file reading buffer overflow.
> > - CVE-2025-26729: EroFS symlink resolution buffer overflow.
> >
> > Best regards,
> >            Jonathan
> >
> >
> > On Fri, Feb 14, 2025 at 7:17 PM Jonathan Bar Or <jonathanbaror at gmail.com> wrote:
> > >
> > > Hi folks.
> > >
> > > Here are the CVEs assigned by MITRE:
> > > - CVE-2025-26721: buffer overflow in the persistent storage for file creation
> > > - CVE-2025-26722: buffer overflow in SquashFS symlink resolution
> > > - CVE-2025-26723: buffer overflow in EXT4 symlink resolution
> > > - CVE-2025-26724: buffer overflow in CramFS symlink resolution
> > > - CVE-2025-26724: buffer overflow in JFFS2 dirent parsing
> > >
> > > Best regards,
> > >            Jonathan
> > >
> > > On Wed, Feb 12, 2025 at 12:24 AM Miquel Raynal
> > > <miquel.raynal at bootlin.com> wrote:
> > > >
> > > > Hello Tom,
> > > >
> > > > On 11/02/2025 at 15:29:09 -06, Tom Rini <trini at konsulko.com> wrote:
> > > >
> > > > > On Tue, Feb 11, 2025 at 08:26:37AM -0800, Jonathan Bar Or wrote:
> > > > >> Hi Tom and the rest of the team,
> > > > >>
> > > > >> Please let me know about fix time, whether this is acknowledged and
> > > > >> whether you're going to request CVE IDs for those or if I should do
> > > > >> it.
> > > > >> The reason is that I found similar issues in other bootloaders, so I'm
> > > > >> trying to synchronize all of them. For what it's worth, Barebox has
> > > > >> similar issues and are currently fixing.
> > > > >
> > > > > Yes, these seem valid. We don't have a CVE requesting authority so if
> > > > > you want them, go ahead and request them. You saw Gao Xiang's response
> > > > > for erofs, and I'm hoping one of the squashfs maintainers will chime
> > > > > in.
> > > >
> > > > Either João or me, we will have a look.
> > > >
> > > > Thanks,
> > > > Miquèl

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linux-erofs/attachments/20250225/b1d51f4c/attachment.sig>

More information about the Linux-erofs mailing list