Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

u-boot: CVE-2019-11059

Related Vulnerabilities: CVE-2019-11059   CVE-2019-11690  

Source

Debian Bug report logs - #928800
u-boot: CVE-2019-11059

version graph

Package: src:u-boot; Maintainer for src:u-boot is Vagrant Cascadian <vagrant@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 11 May 2019 11:51:01 UTC

Severity: normal

Tags: security, upstream

Found in version u-boot/2019.01+dfsg-5

Fixed in versions u-boot/2019.01+dfsg-6, u-boot/2019.07~rc2+dfsg-1

Done: Vagrant Cascadian <vagrant@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Vagrant Cascadian <vagrant@debian.org>:
Bug#928800; Package src:u-boot. (Sat, 11 May 2019 11:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Vagrant Cascadian <vagrant@debian.org>. (Sat, 11 May 2019 11:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: u-boot: CVE-2019-11059
Date: Sat, 11 May 2019 13:46:49 +0200
Source: u-boot
Version: 2019.01+dfsg-5
Severity: normal
Tags: security upstream

Hi,

The following vulnerability was published for u-boot.

CVE-2019-11059[0]:
| Das U-Boot 2016.11-rc1 through 2019.04 mishandles the ext4 64-bit
| extension, resulting in a buffer overflow.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11059
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11059
[1] https://git.denx.de/?p=u-boot.git;a=commit;h=febbc583319b567fe3d83e521cc2ace9be8d1501

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#928800. (Sun, 12 May 2019 01:30:04 GMT) (full text, mbox, link).

Message #8 received at 928800-submitter@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <noreply@salsa.debian.org>
To: 928800-submitter@bugs.debian.org
Subject: Bug#928800 marked as pending in u-boot
Date: Sun, 12 May 2019 01:26:05 +0000
Control: tag -1 pending

Hello,

Bug #928800 in u-boot reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/u-boot/commit/aaf5e4a218a9e1b7dee08e29fbc922c89829d7c1

------------------------------------------------------------------------
Apply patch from upstream fixing buffer overflow with ext4
filesystems (CVE-2019-11059). Closes: #928800.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/928800

Added tag(s) pending. Request was from Vagrant Cascadian <noreply@salsa.debian.org> to 928800-submitter@bugs.debian.org. (Sun, 12 May 2019 01:30:04 GMT) (full text, mbox, link).

Reply sent to Vagrant Cascadian <vagrant@debian.org>:
You have taken responsibility. (Sun, 12 May 2019 01:51:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 12 May 2019 01:51:09 GMT) (full text, mbox, link).

Message #15 received at 928800-close@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: 928800-close@bugs.debian.org
Subject: Bug#928800: fixed in u-boot 2019.01+dfsg-6
Date: Sun, 12 May 2019 01:49:17 +0000
Source: u-boot
Source-Version: 2019.01+dfsg-6

We believe that the bug you reported is fixed in the latest version of
u-boot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928800@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated u-boot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 11 May 2019 18:20:19 -0700
Source: u-boot
Architecture: source
Version: 2019.01+dfsg-6
Distribution: unstable
Urgency: medium
Maintainer: Vagrant Cascadian <vagrant@debian.org>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Closes: 928557 928612 928800 928815
Changes:
 u-boot (2019.01+dfsg-6) unstable; urgency=medium
 .
   [ Domenico Andreoli ]
   * Enable support for NanoPi NEO 2 in u-boot-sunxi (Closes: #928612).
 .
   [ Jonas Smedegaard ]
   * Sync sunxi teres-i patch with mainline u-boot, enabling USB
     support (Closes: #928815).
 .
   [ Vagrant Cascadian ]
   * Apply patch from upstream fixing buffer overflow with ext4 filesystems
     (CVE-2019-11059, Closes: #928800).
   * Apply patch from upstream fixing randomly generated
     UUIDs. (CVE-2019-11690, Closes: #928557).
Checksums-Sha1:
 60224753280aa12de5687086183625d6e96cdaff 2392 u-boot_2019.01+dfsg-6.dsc
 c890375d7d783a3eb12f3c8eea88ccefc21ba08f 45832 u-boot_2019.01+dfsg-6.debian.tar.xz
 8c1760eb36f69f5df642aad06dd8d30c87764e5e 5076 u-boot_2019.01+dfsg-6_amd64.buildinfo
Checksums-Sha256:
 4efd60d1be71fca9208f802dba76487182a851bc412a3aa059c85470b4c08ea5 2392 u-boot_2019.01+dfsg-6.dsc
 c855383d14e9b34c84a12a928ba873a59cc0b36085e664b7fff2af77a9e55f4f 45832 u-boot_2019.01+dfsg-6.debian.tar.xz
 c8fb9b6caa9f028a29afa505c26798292c0ac4687de3c248eac71ad2b8a9b7c6 5076 u-boot_2019.01+dfsg-6_amd64.buildinfo
Files:
 4b3fdff371068e2dc9c04906211bcd82 2392 admin optional u-boot_2019.01+dfsg-6.dsc
 1445c3727368c6c82818449e78ea9adc 45832 admin optional u-boot_2019.01+dfsg-6.debian.tar.xz
 45707cc1993fadfcc3e543858ef19f16 5076 admin optional u-boot_2019.01+dfsg-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXNd19RMcdmFncmFudEBk
ZWJpYW4ub3JnAAoJENxRj8h/lxaqIyoA/1nQSzFI5Zt2o4TtJTMt88xqKa5zIXhr
ASo0zQzEd8RGAQC75wH1ejlsG5BfQOME921oCRc1n8Fk9XzPI7oLo3XHBA==
=FZKb
-----END PGP SIGNATURE-----

Reply sent to Vagrant Cascadian <vagrant@debian.org>:
You have taken responsibility. (Sat, 18 May 2019 04:51:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 18 May 2019 04:51:10 GMT) (full text, mbox, link).

Message #20 received at 928800-close@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: 928800-close@bugs.debian.org
Subject: Bug#928800: fixed in u-boot 2019.07~rc2+dfsg-1
Date: Sat, 18 May 2019 04:49:07 +0000
Source: u-boot
Source-Version: 2019.07~rc2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
u-boot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928800@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated u-boot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 May 2019 21:02:15 -0700
Source: u-boot
Architecture: source
Version: 2019.07~rc2+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Vagrant Cascadian <vagrant@debian.org>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Closes: 928557 928612 928800 928947
Changes:
 u-boot (2019.07~rc2+dfsg-1) experimental; urgency=medium
 .
   * New upstream release candidate:
     (CVE-2019-11059, Closes: #928800)
     (CVE-2019-11690, Closes: #928557)
 .
   [ Sunil Mohan Adapa ]
   * Enable pine64-lts target in u-boot-sunxi (Closes: #928947).
 .
   [ Domenico Andreoli ]
   * Enable support for NanoPi NEO 2 in u-boot-sunxi (Closes: #928612).
 .
   [ Vagrant Cascadian ]
   * u-boot-omap: Fix installation instructions for various beagleboard.org
     boards.
   * Remove patches applied upstream:
     - upstream/lib-uuid-Fix-unseeded-PRNG-on-RANDOM_UUID-y
     - sunxi/teres-i
     - booti/riscv64
     - qemu-riscv64/riscv-qemu-riscv.h-define-CONFIG_PREBOOT-enables-ext
     - pocketbeagle/0001-ti-Add-device-tree-for-am335x-pocketbeagle
     - pocketbeagle/0002-ti-Add-am335x-pocketbeagle-to-am335x_evm_defconfig
   * u-boot-tools: Use tools-only_defconfig, disabling CONFIG_FIT_SIGNATURE
     which requires openssl.
Checksums-Sha1:
 dc276c16e7cc9752cc7b7720496620e3b6073d6c 2950 u-boot_2019.07~rc2+dfsg-1.dsc
 cb0dccf72f16d656d674e921571a68f850d5b5fd 11671308 u-boot_2019.07~rc2+dfsg.orig.tar.xz
 d7a602d018e795e73039dbd4f13260f04d127062 41488 u-boot_2019.07~rc2+dfsg-1.debian.tar.xz
 6a3d23f5d3aac860eb797a6c4469c948663ea1a9 9992 u-boot_2019.07~rc2+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 6367a3a89b6efa13e60b60d7127764c911481b048ffe8341586a66bbfecfb028 2950 u-boot_2019.07~rc2+dfsg-1.dsc
 8058afdcca0e6c5c0e1974070ffaf0448c494125bc7dd9c65edabce6156f777e 11671308 u-boot_2019.07~rc2+dfsg.orig.tar.xz
 71d7c3325db350e27a3e995cdb445a2315ac19b4a1319df0f7ae9f494b915cb9 41488 u-boot_2019.07~rc2+dfsg-1.debian.tar.xz
 f3bc1bdda8d3ce63f7ef4fa618d57bd24a1f1dfb53b1f9e277d0cbf6686327e4 9992 u-boot_2019.07~rc2+dfsg-1_amd64.buildinfo
Files:
 66c43c2116cf285e07c82767e4e82103 2950 admin optional u-boot_2019.07~rc2+dfsg-1.dsc
 f4769beb447ed61a26e5cb37295a7d7a 11671308 admin optional u-boot_2019.07~rc2+dfsg.orig.tar.xz
 0ce7b271179aac8d8e6591ddaafc9abc 41488 admin optional u-boot_2019.07~rc2+dfsg-1.debian.tar.xz
 ceb76341e9be70f10a7a76656c033f8e 9992 admin optional u-boot_2019.07~rc2+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXN+ICBMcdmFncmFudEBk
ZWJpYW4ub3JnAAoJENxRj8h/lxaqNMgBAI2zVhRhM1oDpFLzT/yqfPRi7IxQ1vBY
rGZ/I5jHZYESAQCGJ3i6VXC+CQBBk6D+pHHDaIuaEF4lTfygPYjDPOguBA==
=20EK
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Jun 2019 07:24:52 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:04:48 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started