Ineffective fix of CVE-2019-14196 - U-Boot - denx.biz

newer
[PATCH V3 0/5] MXS nand fixes in...

Ineffective fix of CVE-2019-14196

older
[PATCH] drivers: ram: rockchip:...

zi0Black

11 May 2022 11 May '22

10:25 p.m.

Hi to every one,

The current fix for the vulnerability identified via CVE-2019-14196 is not effective and a buffer overflow is still possible. Please refer to my comment posted on the commit (5d14ee4e53a81055d34ba280cb8fd90330f22a96) on github.

https://github.com/u-boot/u-boot/commit/5d14ee4e53a81055d34ba280cb8fd90330f2...

Regards,

zi0Black

Attachments:

signature.asc (application/pgp-signature — 509 bytes)

Reply

Show replies by date

Tom Rini

15 May 15 May

5:14 a.m.

On Wed, May 11, 2022 at 08:25:37PM +0000, zi0Black wrote:

Hi to every one,

The current fix for the vulnerability identified via CVE-2019-14196 is not effective and a buffer overflow is still possible. Please refer to my comment posted on the commit (5d14ee4e53a81055d34ba280cb8fd90330f22a96) on github.

https://github.com/u-boot/u-boot/commit/5d14ee4e53a81055d34ba280cb8fd90330f2...

Interesting analysis. I'm a bit disappointed they didn't report this upstream themselves. A patch would be appreciated, thanks.

-- Tom

Reply

1088

Age (days ago)

1092

Last active (days ago)

Download

1 comments

2 participants

tags (0)

participants (2)

Tom Rini
zi0Black