CVE-2020-10648 in u-boot

To: Debian LTS <debian-lts@lists.debian.org>
Subject: CVE-2020-10648 in u-boot
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 31 Mar 2020 22:46:58 +0200
Message-id: <[🔎] CABY6=0mJSSg5m4DMNT+6yqFizt7Xa+AxkbgSvKCTRfr=s8YqiA@mail.gmail.com>

Hi

I would like to have some advice about the u-boot triaging.
The problem is that someone can load an alternative configuration file
and by that boot arbitrary code.
I assume this means that the attacker must have physical access to the device.

As I see it, this can be used to root devices that should not be
possible to root.

My question is whether you think this is worth fixing in Debian.

I lean towards that we should consider this as a minor issue for
Jessie but here I would like your opinion.

Thank you in advance

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: CVE-2020-10648 in u-boot
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Jessie update of libpam-krb5?
Next by Date: Re: CVE-2020-10648 in u-boot
Previous by thread: Re: Jessie update of libpam-krb5?
Next by thread: Re: CVE-2020-10648 in u-boot
Index(es):
- Date
- Thread