[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2020-10648 in u-boot

On 2020-03-31, Holger Levsen wrote:
> looping the u-boot maintainer in... what's your opinion on this, Vagrant?
> On Tue, Mar 31, 2020 at 10:46:58PM +0200, Ola Lundqvist wrote:
>> I would like to have some advice about the u-boot triaging.
>> The problem is that someone can load an alternative configuration file
>> and by that boot arbitrary code.
>> I assume this means that the attacker must have physical access to the device.
>> As I see it, this can be used to root devices that should not be
>> possible to root.
>> My question is whether you think this is worth fixing in Debian.
>> I lean towards that we should consider this as a minor issue for
>> Jessie but here I would like your opinion.
>> Thank you in advance
>> // Ola
> (I'd agree this is not worth fixing in jessie if this needs physical access.)

I haven't looked deeply into it, but from what I recall, I'm not sure
any of the platforms built in Debian make use of the verified boot

live well,

Attachment: signature.asc
Description: PGP signature

Reply to: