Re: CVE-2020-10648 in u-boot
Hi
Thank you. I have marked this issue as minor issue. The Debian
Security team did that decision and I find no reason why u-boot would
be more important to fix than later releases.
Best regards
// Ola
On Sun, 5 Apr 2020 at 23:09, Vagrant Cascadian <vagrant@debian.org> wrote:
>
> On 2020-03-31, Holger Levsen wrote:
> > looping the u-boot maintainer in... what's your opinion on this, Vagrant?
> >
> > On Tue, Mar 31, 2020 at 10:46:58PM +0200, Ola Lundqvist wrote:
> >> I would like to have some advice about the u-boot triaging.
> >> The problem is that someone can load an alternative configuration file
> >> and by that boot arbitrary code.
> >> I assume this means that the attacker must have physical access to the device.
> >>
> >> As I see it, this can be used to root devices that should not be
> >> possible to root.
> >>
> >> My question is whether you think this is worth fixing in Debian.
> >>
> >> I lean towards that we should consider this as a minor issue for
> >> Jessie but here I would like your opinion.
> >>
> >> Thank you in advance
> >>
> >> // Ola
> >
> > (I'd agree this is not worth fixing in jessie if this needs physical access.)
>
> I haven't looked deeply into it, but from what I recall, I'm not sure
> any of the platforms built in Debian make use of the verified boot
> features.
>
> live well,
> vagrant
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: