dgit.raspbian.org Git - u-boot.git/commit

author	Simon Glass <sjg@chromium.org>
	Tue, 16 Feb 2021 00:08:06 +0000 (17:08 -0700)
committer	Daniel Leidert <dleidert@debian.org>
	Sun, 29 Jun 2025 00:33:57 +0000 (02:33 +0200)
commit	1baf7719925236747d117bfe4ee3859ea7f0aa45
tree	2a6286a40f4e06e32542b076e9348bb3ac14e4bf	tree \| snapshot
parent	bf4a56d325f1ef10378e34d99263fd7810c2d109	commit \| diff

fit: Don't allow verification of images with @ nodes

When searching for a node called 'fred', any unit address appended to the
name is ignored by libfdt, meaning that 'fred' can match 'fred@1'. This
means that we cannot be sure that the node originally intended is the one
that is used.

Disallow use of nodes with unit addresses.

Update the forge test also, since it uses @ addresses.

CVE-2021-27138

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Reviewed-By: Daniel Leidert <dleidert@debian.org>
Origin: https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
Bug: https://github.com/advisories/GHSA-grrh-mjp7-g52c
Bug-Debian: https://bugs.debian.org/983269
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27138
Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27138

Gbp-Pq: Name CVE-2021-27138-1.patch

common/image-fit-sig.c		diff \| blob \| history
common/image-fit.c		diff \| blob \| history
test/py/tests/test_fit.py		diff \| blob \| history
test/py/tests/vboot_forge.py		diff \| blob \| history