Ubuntu
u-boot-nezha package

Add security fixes

Bug #2012644 reported by Heinrich Schuchardt
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
u-boot-nezha (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Eduardo Barretto
Kinetic
Won't Fix
Undecided
Unassigned
Lunar
Fix Released
Undecided
Eduardo Barretto

Bug Description

[ Impact ]

The following upstream fixes from https://source.denx.de/u-boot/u-boot are applicable to u-boot-nezha, too:

fbce985e28ea ("usb: gadget: dfu: Fix the unchecked length field")
1817c3824a08 ("net: (actually/better) deal with CVE-2022-{30790,30552}")
14dc0ab13898 ("usb: gadget: dfu: Fix check of transfer direction")

[ Test Plan ]

Test that the Nezha and the LicheeRV Dock board can be booted on the target release with the updated u-boot-nezha package installed.

[ Where problems could occur ]

Booting the Nezha or the LicheeRV Dock board might fail.

[ Other Info ]

n/a

See original description

CVE References

Heinrich Schuchardt (xypron)
Changed in u-boot-nezha (Ubuntu):
assignee: nobody → Heinrich Schuchardt (xypron)
Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Heinrich Schuchardt (xypron)
Changed in u-boot-nezha (Ubuntu):
assignee: Heinrich Schuchardt (xypron) → nobody
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Heinrich,

Thanks for contacting us and providing a debdiff. Are you also going to provide a debdiff for jammy and kinetic?

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Hello Eduardo,

I would prefer to upgrade Jammy and Kinetic to

u-boot-nezha-2022.10-1089-g528ae9bc6c-0ubuntu2.debdiff

I have already tested this version of U-Boot with Jammy on the Nezha D1 and LicheeRV boards.

We have the build dependency OpenSBI in the Kinetic security pocket. It would have to be rebuilt in the Jammy security pocket.

Best regards

Heinrich

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I please make this bug public?

Heinrich Schuchardt (xypron)
Changed in u-boot-nezha (Ubuntu Lunar):
status: New → Fix Released
Heinrich Schuchardt (xypron)
information type: Private Security → Public Security
Changed in u-boot-nezha (Ubuntu Lunar):
status: Fix Released → New
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

I have update the debdiff to build for Ubuntu Mantic

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot-nezha - 2022.10-1089-g528ae9bc6c-0ubuntu2

---------------
u-boot-nezha (2022.10-1089-g528ae9bc6c-0ubuntu2) mantic; urgency=medium

  * Add security fixes (LP: #2012644)
    d/p/0001-usb-gadget-dfu-Fix-the-unchecked-length-field.patch
    d/p/0001-net-actually-better-deal-with-CVE-2022-30790-30552.patch
    d/p/0001-usb-gadget-dfu-Fix-check-of-transfer-direction.patch
  * Enable sbi command
    d/p/0001-enable-sbi-command.patch

 -- Heinrich Schuchardt <email address hidden> Mon, 19 Jun 2023 16:37:50 +0200

Changed in u-boot-nezha (Ubuntu):
status: New → Fix Released
Jeremy Bícha (jbicha)
Changed in u-boot-nezha (Ubuntu Jammy):
status: New → Confirmed
Changed in u-boot-nezha (Ubuntu Kinetic):
status: New → Confirmed
Changed in u-boot-nezha (Ubuntu Lunar):
status: New → Confirmed
tags: added: jammy kinetic lunar
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hey Heinrich! Could you provide debdiffs for the stable series as well so that the security team can pick those up? (there is a lunar one, but it needs updating per the version number being used for mantic already I suppose)

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

This is the debdiff for Lunar

Changed in u-boot-nezha (Ubuntu Lunar):
assignee: nobody → Heinrich Schuchardt (xypron)
Changed in u-boot-nezha (Ubuntu Jammy):
assignee: nobody → Heinrich Schuchardt (xypron)
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Debdiff for Jammy

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

u-boot-nezha - 2022.10-1089-g528ae9bc6c-0ubuntu1.23.04.0 (Lunar) is available in ppa:xypron/merge-from-debian.

u-boot-nezha - 2022.04+git20220405.7446a472-0ubuntu0.3 (Jammy) is available in ppa:xypron/gnu-efi

Changed in u-boot-nezha (Ubuntu Jammy):
assignee: Heinrich Schuchardt (xypron) → nobody
Changed in u-boot-nezha (Ubuntu Lunar):
assignee: Heinrich Schuchardt (xypron) → nobody
summary: - Add security fixes
+ [SRU] Add security fixes
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

Unsubscribing ubuntu-sponsors and adjusting titles as this should not be SRUs but go via security as per comment #7

summary: - [SRU] Add security fixes
+ Add security fixes
Eduardo Barretto (ebarretto)
Changed in u-boot-nezha (Ubuntu Kinetic):
status: Confirmed → Won't Fix
Changed in u-boot-nezha (Ubuntu Jammy):
assignee: nobody → Eduardo Barretto (ebarretto)
Changed in u-boot-nezha (Ubuntu Lunar):
assignee: nobody → Eduardo Barretto (ebarretto)
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Heinrich,

I see that you have u-boot-nezha for both jammy and lunar sitting in -proposed.
Whenever that gets published we will need a new set of debdiffs generated against this newer version.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi Heinrich,

Now the the packages are out of proposed, I've adapted your debdiffs for the new versions and have uploaded them to the security proposed ppa here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Could you please test them and let me know if they work as expected, and I'll publish them as security updates.

Thanks!

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Thanks Marc, I will test tomorrow.

Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Hello Marc,

I have tested

u-boot-nezha - 2022.10-1089-g528ae9bc6c-0ubuntu1.23.04.2
u-boot-nezha - 2022.04+git20220405.7446a472-0ubuntu0.4

on both Nezha D1 and LicheeRV Dock and experienced no problems in booting. USB is functional.

The OpenSBI binary is built into the U-Boot binaries. Please, ensure that the same OpenSBI that you used for your PPA builds is available for the build in the security archive.

Best regards

Heinrich

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot-nezha - 2022.04+git20220405.7446a472-0ubuntu0.4

---------------
u-boot-nezha (2022.04+git20220405.7446a472-0ubuntu0.4) jammy-security; urgency=medium

  [ Heinrich Schuchardt ]
  * Add security fixes (LP: #2012644)
    d/p/0001-net-Check-for-the-minimum-IP-fragmented-datagram-siz.patch
    d/p/0001-net-compare-received-length-to-sizeof-ip_hdr-not-siz.patch
    d/p/0001-usb-gadget-dfu-Fix-the-unchecked-length-field.patch
    d/p/0001-net-actually-better-deal-with-CVE-2022-30790-30552.patch
    d/p/0001-usb-gadget-dfu-Fix-check-of-transfer-direction.patch

 -- Marc Deslauriers <email address hidden> Tue, 28 Nov 2023 13:16:53 -0500

Changed in u-boot-nezha (Ubuntu Jammy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package u-boot-nezha - 2022.10-1089-g528ae9bc6c-0ubuntu1.23.04.2

---------------
u-boot-nezha (2022.10-1089-g528ae9bc6c-0ubuntu1.23.04.2) lunar-security; urgency=medium

  [ Heinrich Schuchardt ]
  * Add security fixes (LP: #2012644)
    d/p/0001-usb-gadget-dfu-Fix-the-unchecked-length-field.patch
    d/p/0001-net-actually-better-deal-with-CVE-2022-30790-30552.patch
    d/p/0001-usb-gadget-dfu-Fix-check-of-transfer-direction.patch

 -- Marc Deslauriers <email address hidden> Tue, 28 Nov 2023 13:17:18 -0500

Changed in u-boot-nezha (Ubuntu Lunar):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.