u-boot - Debian Package Tracker

general

source: u-boot (main)
version: 2025.01-2
maintainer: Vagrant Cascadian (DMD)
uploaders: Loïc Minier [DMD] – Clint Adams [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2019.01+dfsg-7
oldstable: 2021.01+dfsg-5
stable: 2023.01+dfsg-2+deb12u1
testing: 2025.01-2
unstable: 2025.01-2

versioned links

2019.01+dfsg-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2021.01+dfsg-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2023.01+dfsg-2+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.01-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

u-boot (4 bugs: 1, 1, 2, 0)
u-boot-amlogic-binaries
u-boot-asahi (1 bugs: 0, 0, 1, 0)
u-boot-exynos (4 bugs: 0, 4, 0, 0)
u-boot-exynos-binaries
u-boot-imx (1 bugs: 0, 0, 1, 0)
u-boot-mvebu
u-boot-omap (1 bugs: 0, 1, 0, 0)
u-boot-qcom
u-boot-qemu (3 bugs: 0, 3, 0, 0)
u-boot-rockchip (2 bugs: 0, 1, 1, 0)
u-boot-rpi (3 bugs: 0, 2, 1, 0)
u-boot-sifive
u-boot-sitara-binaries
u-boot-starfive
u-boot-stm32
u-boot-sunxi (11 bugs: 1, 6, 4, 0)
u-boot-tegra
u-boot-tools (4 bugs: 0, 2, 2, 0)

action needed

A new upstream version is available: 2025.04~rc5 high

A new upstream version 2025.04~rc5 is available, you should consider packaging it.

Created: 2024-01-31 Last update: 2025-04-03 18:01

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2024-42040: Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.

Created: 2024-09-01 Last update: 2025-03-25 14:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2024-42040: Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.

Created: 2024-09-01 Last update: 2025-03-25 14:30

16 security issues in bullseye high

There are 16 open security issues in bullseye.

6 important issues:

CVE-2024-57254: An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem.
CVE-2024-57255: An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.
CVE-2024-57256: An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.
CVE-2024-57257: A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting.
CVE-2024-57258: Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.
CVE-2024-57259: sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.

9 issues postponed or untriaged:

CVE-2022-2347: (needs triaging) There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.
CVE-2021-27097: (needs triaging) The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified FIT.
CVE-2021-27138: (needs triaging) The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of unit addresses in a FIT.
CVE-2022-30552: (needs triaging) Das U-Boot 2022.01 has a Buffer Overflow.
CVE-2022-30790: (needs triaging) Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552.
CVE-2022-33103: (needs triaging) Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir().
CVE-2022-33967: (needs triaging) squashfs filesystem implementation of U-Boot versions from v2020.10-rc2 to v2022.07-rc5 contains a heap-based buffer overflow vulnerability due to a defect in the metadata reading process. Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution.
CVE-2022-34835: (needs triaging) In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.
CVE-2024-42040: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.

1 ignored issue:

CVE-2022-30767: nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.

Created: 2025-02-18 Last update: 2025-03-25 14:30

lintian reports 4 errors and 14 warnings high

Lintian reports 4 errors and 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-03-08 Last update: 2025-03-08 15:33

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-04-03 23:01

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 9f7cde5548500927a9917fbae222287d6d097077
Author: Vagrant Cascadian <vagrant@debian.org>
Date:   Thu Mar 27 11:52:56 2025 -0700

    debian/targets.mk: Fix dependencies for DHCOM targets.

commit 1861b3e56311228f699467c4d7318d40f1dc607e
Author: Marek Vasut <marex@denx.de>
Date:   Sat Feb 22 17:34:22 2025 +0100

    Add remaining DH electronics DHSOM based devices
    
    Add build targets for all of current upstream armhf DH electronics DHSOM
    based devices, this includes all of:
    - i.MX6 DHCOM based DRC02, PDK2, PicoITX boards
    - STM32MP15xx DHCOM based DRC02, PDK2, PicoITX boards
    - STM32MP15xx DHCOR based Avenger96, DRC Compact, Testbench boards
    
    Signed-off-by: Marek Vasut <marex@denx.de>

Created: 2025-03-27 Last update: 2025-03-27 21:02

7 low-priority security issues in bookworm low

There are 7 open security issues in bookworm.

7 issues left for the package maintainer to handle:

CVE-2024-42040: (postponed; to be fixed through a stable update) Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.
CVE-2024-57254: (needs triaging) An integer overflow in sqfs_inode_size in Das U-Boot before 2025.01-rc1 occurs in the symlink size calculation via a crafted squashfs filesystem.
CVE-2024-57255: (needs triaging) An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.
CVE-2024-57256: (needs triaging) An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.
CVE-2024-57257: (needs triaging) A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting.
CVE-2024-57258: (needs triaging) Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.
CVE-2024-57259: (needs triaging) sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-09-01 Last update: 2025-03-25 14:30

debian/patches: 7 patches to forward upstream low

Among the 7 debian patches available in version 2025.01-2 of the package, we noticed the following issues:

7 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-03-08 13:00

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:23

news

[rss feed]

[2025-03-13] u-boot 2025.01-2 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted u-boot 2025.01-2 (source) into unstable (Vagrant Cascadian)
[2025-03-07] Accepted u-boot 2025.01-1 (source) into unstable (Vagrant Cascadian)
[2025-01-15] u-boot 2024.01+dfsg-7 MIGRATED to testing (Debian testing watch)
[2025-01-09] Accepted u-boot 2024.01+dfsg-7 (source) into unstable (Vagrant Cascadian)
[2025-01-08] u-boot 2024.01+dfsg-6 MIGRATED to testing (Debian testing watch)
[2025-01-02] Accepted u-boot 2024.01+dfsg-6 (source) into unstable (Vagrant Cascadian)
[2024-05-03] u-boot 2024.01+dfsg-5 MIGRATED to testing (Debian testing watch)
[2024-04-22] Accepted u-boot 2023.01+dfsg-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Vagrant Cascadian)
[2024-04-19] Accepted u-boot 2024.01+dfsg-5 (source) into unstable (Vagrant Cascadian)
[2024-04-19] Accepted u-boot 2024.01+dfsg-4 (source all amd64) into experimental (Debian FTP Masters) (signed by: Vagrant Cascadian)
[2024-03-20] Accepted u-boot 2024.01+dfsg-3 (source) into unstable (Vagrant Cascadian)
[2024-03-20] Accepted u-boot 2024.01+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2024-01-16] u-boot 2024.01+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-01-10] Accepted u-boot 2024.01+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2024-01-07] Accepted u-boot 2024.01~rc6+dfsg-2 (source armel) into experimental (Debian FTP Masters) (signed by: Vagrant Cascadian)
[2024-01-06] Accepted u-boot 2024.01~rc6+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-07-16] u-boot 2023.07+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-07-11] Accepted u-boot 2023.07+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2023-06-29] Accepted u-boot 2023.07~rc5+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-06-20] Accepted u-boot 2023.07~rc4+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-04-05] Accepted u-boot 2023.04+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-03-28] Accepted u-boot 2023.04~rc5+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-02-16] Accepted u-boot 2023.04~rc2+dfsg-1 (source) into experimental (Vagrant Cascadian)
[2023-01-23] u-boot 2023.01+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-01-18] u-boot 2023.01+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-01-18] Accepted u-boot 2023.01+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2023-01-10] Accepted u-boot 2023.01+dfsg-1 (source) into unstable (Vagrant Cascadian)
[2023-01-06] Accepted u-boot 2023.01~rc4+dfsg-2 (source) into unstable (Vagrant Cascadian)
[2022-12-24] Accepted u-boot 2023.01~rc4+dfsg-1 (source) into experimental (Vagrant Cascadian)

bugs [bug history graph]

all: 46 47
RC: 2
I&N: 23
M&W: 20 21
F&P: 1
patch: 2

links

homepage
lintian (4, 14)
buildd: logs, checks, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2025.01-1~0ubuntu2
19 bugs
patches for 2025.01-1~0ubuntu2