arm-trusted-firmware - Debian Package Tracker

general

source: arm-trusted-firmware (main)
version: 2.12.0+dfsg-2
maintainer: Vagrant Cascadian (DMD)
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.0+290.98aab974-2
oldstable: 2.4+dfsg-2
stable: 2.8.0+dfsg-1
testing: 2.12.0+dfsg-2
unstable: 2.12.0+dfsg-2

versioned links

2.0+290.98aab974-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.8.0+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.12.0+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

arm-trusted-firmware
arm-trusted-firmware-tools

action needed

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2024-6563: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C . In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire.
CVE-2024-6564: Buffer overflow in "rcar_dev_init" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.

Created: 2024-06-28 Last update: 2025-01-26 06:02

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2024-6563: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C . In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire.
CVE-2024-6564: Buffer overflow in "rcar_dev_init" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.

Created: 2024-06-28 Last update: 2025-01-26 06:02

3 security issues in buster high

There are 3 open security issues in buster.

2 important issues:

CVE-2024-6285: Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-trusted-firmware. An integer underflow in image range check calculations could lead to bypassing address restrictions and loading of images to unallowed addresses.
CVE-2024-6287: Incorrect Calculation vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. When checking whether a new image invades/overlaps with a previously loaded image the code neglects to consider a few cases. that could An attacker to bypass memory range restriction and overwrite an already loaded image partly or completely, which could result in code execution and bypass of secure boot.

1 issue postponed or untriaged:

CVE-2023-49100: (needs triaging) Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.

Created: 2024-06-28 Last update: 2024-06-28 20:13

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-01-29 23:00

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-01-21 Last update: 2025-01-21 09:01

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2024-6563: (needs triaging) Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Renesas arm-trusted-firmware allows Local Execution of Code. This vulnerability is associated with program files https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i... https://github.Com/renesas-rcar/arm-trusted-firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C . In line 313 "addr_loaded_cnt" is checked not to be "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the function. Immediately after (line 317) there will be an overflow in the buffer and the value of "dst" will be written to the area immediately after the buffer, which is "addr_loaded_cnt". This will allow an attacker to freely control the value of "addr_loaded_cnt" and thus control the destination of the write immediately after (line 318). The write in line 318 will then be fully controlled by said attacker, with whichever address and whichever value ("len") they desire.
CVE-2024-6564: (needs triaging) Buffer overflow in "rcar_dev_init" due to using due to using untrusted data (rcar_image_number) as a loop counter before verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full bypass of secure boot.
CVE-2023-49100: (needs triaging) Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-23 Last update: 2025-01-26 06:02

debian/patches: 6 patches to forward upstream low

Among the 6 debian patches available in version 2.12.0+dfsg-2 of the package, we noticed the following issues:

6 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-01-21 12:23

news

[rss feed]

[2025-01-26] arm-trusted-firmware 2.12.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2025-01-21] Accepted arm-trusted-firmware 2.12.0+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2025-01-14] arm-trusted-firmware 2.10.10+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-01-08] Accepted arm-trusted-firmware 2.10.10+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2025-01-08] Accepted arm-trusted-firmware 2.12.0+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-12-09] arm-trusted-firmware 2.10.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-12-04] Accepted arm-trusted-firmware 2.10.0+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2023-07-06] arm-trusted-firmware 2.9.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2023-07-01] Accepted arm-trusted-firmware 2.9.0+dfsg-3 (source) into unstable (Vagrant Cascadian)
[2023-06-19] Accepted arm-trusted-firmware 2.9.0+dfsg-2 (source) into experimental (Vagrant Cascadian)
[2023-06-19] Accepted arm-trusted-firmware 2.9.0+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2022-11-30] arm-trusted-firmware 2.8.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-11-25] Accepted arm-trusted-firmware 2.8.0+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2022-08-11] arm-trusted-firmware 2.7.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-08-06] Accepted arm-trusted-firmware 2.7.0+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2022-06-09] Accepted arm-trusted-firmware 2.7.0+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-12-02] arm-trusted-firmware 2.6+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-11-27] Accepted arm-trusted-firmware 2.6+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2021-11-17] Accepted arm-trusted-firmware 2.6~rc0+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-09-20] arm-trusted-firmware 2.5+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-09-09] Accepted arm-trusted-firmware 2.5+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2021-06-09] Accepted arm-trusted-firmware 2.5+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-01-22] arm-trusted-firmware 2.4+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-01-17] Accepted arm-trusted-firmware 2.4+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2021-01-04] Accepted arm-trusted-firmware 2.4+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2020-10-23] arm-trusted-firmware 2.3+dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-10-18] Accepted arm-trusted-firmware 2.3+dfsg-3 (source) into unstable (Vagrant Cascadian)
[2020-10-15] Accepted arm-trusted-firmware 2.3+dfsg-2 (source arm64) into experimental, experimental (Debian FTP Masters) (signed by: Vagrant Cascadian)
[2020-07-15] arm-trusted-firmware 2.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-07-08] Accepted arm-trusted-firmware 2.3+dfsg-1 (source) into unstable (Vagrant Cascadian)

bugs [bug history graph]

all: 2
RC: 1
I&N: 0
M&W: 1
F&P: 0
patch: 1

links

homepage
lintian (0, 2)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.10.0+dfsg-1build2