SB2019080654 - Buffer overflow in DENX U-Boot
Published: August 6, 2019 Updated: August 8, 2020
Security Bulletin ID
SB2019080654
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer overflow (CVE-ID: CVE-2019-13104)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00004.html
- https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75
- https://github.com/u-boot/u-boot/commits/master
- https://lists.denx.de/pipermail/u-boot/2019-July/375514.html