u-boot - Debian Package Tracker

general

source: u-boot (main)
version: 2022.04+dfsg-2
maintainer: Vagrant Cascadian (DMD)
uploaders: Loïc Minier [DMD] – Clint Adams [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2016.11+dfsg1-4
oldstable: 2019.01+dfsg-7
stable: 2021.01+dfsg-5
testing: 2022.04+dfsg-2
unstable: 2022.04+dfsg-2
exp: 2022.07~rc3+dfsg-1
NEW/experimental: 2022.07~rc3+dfsg-2

versioned links

2016.11+dfsg1-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2019.01+dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2021.01+dfsg-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2022.04+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2022.07~rc3+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

u-boot (3 bugs: 0, 1, 2, 0)
u-boot-amlogic (1 bugs: 0, 0, 1, 0)
u-boot-exynos (2 bugs: 0, 2, 0, 0)
u-boot-imx
u-boot-mvebu
u-boot-omap (1 bugs: 0, 1, 0, 0)
u-boot-qcom
u-boot-qemu
u-boot-rockchip
u-boot-rpi (3 bugs: 0, 2, 1, 0)
u-boot-sifive
u-boot-sunxi (12 bugs: 1, 7, 4, 0)
u-boot-tegra
u-boot-tools (4 bugs: 0, 1, 3, 0)

action needed

A new upstream version is available: 2022.07~rc3 high

A new upstream version 2022.07~rc3 is available, you should consider packaging it.

Created: 2022-04-27 Last update: 2022-05-26 10:08

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2022-30767: nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.

Created: 2022-05-17 Last update: 2022-05-17 09:34

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-30767: nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.

Created: 2022-05-17 Last update: 2022-05-17 09:34

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs (4 if counting merged bugs), consider including or untagging them.

Created: 2021-08-14 Last update: 2022-05-26 10:03

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2022.07~rc3+dfsg-2, distribution experimental) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit b2f6be98da3fa66c8b54bbdb3ccdc29c19dd55f6
Author: Vagrant Cascadian <vagrant@debian.org>
Date:   Tue May 24 14:33:45 2022 -0700

    Fix changelog entry for 2022.07~rc3+dfsg-1.

commit 6c1b1ae129c430b2a678648dddb70a2b19b85e1b
Author: Vagrant Cascadian <vagrant@debian.org>
Date:   Tue May 24 11:09:35 2022 -0700

    Upload u-boot 2022.07~rc3+dfsg-2 to experimental.

commit 1668b6cfe1940342112633529be697dc0a582214
Author: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Date:   Wed Apr 13 16:52:31 2022 +0200

    debian: Add new package for STM32 boards
    
    Mainline U-Boot has support for STM32MP1 dev boards. This adds a new
    `u-boot-stm32` binary package on `armhf` with boot loaders for the
    STM32MP157C-DK2, which is the only one I own from this series.
    
    Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>

Created: 2022-04-13 Last update: 2022-05-24 23:10

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-10-13 Last update: 2022-01-01 04:35

21 low-priority security issues in buster low

There are 21 open security issues in buster.

2 issues left for the package maintainer to handle:

CVE-2021-27097: (needs triaging) The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.
CVE-2021-27138: (needs triaging) The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.

You can find information about how to handle these issues in the security team's documentation.

19 ignored issues:

CVE-2020-8432: In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.
CVE-2019-13103: A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.
CVE-2019-13104: In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause memcpy() to overwrite a very large amount of data (including the whole stack) while reading a crafted ext4 filesystem.
CVE-2019-13105: Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a cached block of data when listing files in a crafted ext4 filesystem.
CVE-2019-13106: Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data while reading a crafted ext4 filesystem, which results in a stack buffer overflow and likely code execution.
CVE-2019-14192: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an nc_input_packet call.
CVE-2019-14193: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with an unvalidated length at nfs_readlink_reply, in the "if" block after calculating the new path length.
CVE-2019-14194: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv2 case.
CVE-2019-14195: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with unvalidated length at nfs_readlink_reply in the "else" block after calculating the new path length.
CVE-2019-14196: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_lookup_reply.
CVE-2019-14197: An issue was discovered in Das U-Boot through 2019.07. There is a read of out-of-bounds data at nfs_read_reply.
CVE-2019-14198: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy with a failed length check at nfs_read_reply when calling store_block in the NFSv3 case.
CVE-2019-14199: An issue was discovered in Das U-Boot through 2019.07. There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet integer underflow during an *udp_packet_handler call.
CVE-2019-14200: An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: rpc_lookup_reply.
CVE-2019-14201: An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_lookup_reply.
CVE-2019-14202: An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_readlink_reply.
CVE-2019-14203: An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_mount_reply.
CVE-2019-14204: An issue was discovered in Das U-Boot through 2019.07. There is a stack-based buffer overflow in this nfs_handler reply helper function: nfs_umountall_reply.
CVE-2020-10648: Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration.

Created: 2021-02-19 Last update: 2022-05-17 09:34

3 low-priority security issues in bullseye low

There are 3 open security issues in bullseye.

2 issues left for the package maintainer to handle:

CVE-2021-27097: (needs triaging) The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.
CVE-2021-27138: (needs triaging) The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.

You can find information about how to handle these issues in the security team's documentation.

1 ignored issue:

CVE-2022-30767: nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.

Created: 2021-08-14 Last update: 2022-05-17 09:34

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:23

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.1 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-05-11 23:24

testing migrations

This package is part of the ongoing testing transition known as auto-openssl. Please avoid uploads unrelated to this transition, they would likely delay it and require supplementary work from the release managers. On the other hand, if your package has problems preventing it to migrate to testing, please fix them as soon as possible. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2022-05-24] Accepted u-boot 2022.07~rc3+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2022-04-16] u-boot 2022.04+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-04-11] u-boot 2022.04+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-04-11] Accepted u-boot 2022.04+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2022-04-05] Accepted u-boot 2022.04+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2022-03-24] Accepted u-boot 2022.04~rc4+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2022-02-24] Accepted u-boot 2022.04~rc2+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2022-02-01] u-boot 2022.01+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-01-27] Accepted u-boot 2022.01+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2022-01-16] u-boot 2022.01+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-01-11] Accepted u-boot 2022.01+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2021-12-21] Accepted u-boot 2022.01~rc4+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-11-22] Accepted u-boot 2022.01~rc2+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-10-15] u-boot 2021.10+dfsg-1 MIGRATED to testing (Debian testing watch)
[2021-10-10] Accepted u-boot 2021.10+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2021-09-28] Accepted u-boot 2021.10~rc5+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-09-20] u-boot 2021.07+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-09-09] Accepted u-boot 2021.07+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2021-07-25] Accepted u-boot 2021.07+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-06-19] Accepted u-boot 2021.07~rc4+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-05-30] u-boot 2021.01+dfsg-5 MIGRATED to testing (Debian testing watch)
[2021-05-23] Accepted u-boot 2021.01+dfsg-5 (source) into unstable (Vagrant Cascadian)
[2021-04-02] u-boot 2021.01+dfsg-4 MIGRATED to testing (Debian testing watch)
[2021-03-21] Accepted u-boot 2021.04~rc4+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-03-13] Accepted u-boot 2021.04~rc3+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2021-03-12] Accepted u-boot 2021.01+dfsg-4 (source) into unstable (Vagrant Cascadian)
[2021-03-11] u-boot 2021.01+dfsg-3 MIGRATED to testing (Debian testing watch)
[2021-03-01] Accepted u-boot 2021.01+dfsg-3 (source) into unstable (Vagrant Cascadian)
[2021-01-27] u-boot 2021.01+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-01-22] Accepted u-boot 2021.01+dfsg-2 (source) into unstable (Vagrant Cascadian)

bugs [bug history graph]

all: 36 37
RC: 1
I&N: 17
M&W: 18 19
F&P: 0
patch: 3 4

links

homepage
lintian (0, 6)
buildd: logs, exp, checks, clang, reproducibility
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2022.01+dfsg-2ubuntu3
22 bugs
patches for 2022.01+dfsg-2ubuntu3