Bug#1116947: bookworm-pu: package u-boot/2023.01+dfsg-2+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: u-boot@packages.debian.org, vagrant@debian.org
Control: affects -1 + src:u-boot
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
[ Reason ]
The CVEs CVE-2024-57254 to CVE-2024-57259 have been fixed in Sid, stable, LTS,
and ELTS. They have not yet been fixed in Bookworm. This upload intends to
close this gap.
[ Impact ]
If the update is not approved, users of Debian Bookworm stay vulnerable to the
mentioned CVEs. Users updating to Bookworm become vulnerable.
[ Tests ]
The package doesn't come with the upstream test-suite enabled. The patches have
therefore been tested manually on systems using u-boot. No problems have been
reported. The fixes have also been published for users of LTS, ELTS, Sid and
stable for some time without any report of a regression either. The patches are
quite small as well.
[ Risks ]
The largest risk is the possibility of regressions or breakages. See above for
tests to catch and mitigate these risks.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
CVE-2024-57254, CVE-2024-57255, and CVE-2024-57256 are mitiated by using a
built-in to detect overflows.
CVE-2024-57257 is mitigated by limiting the nested level to 8.
CVE-2024-57258 is fixed by removing a superflous cast, moving a size check into
an earlier location, and changing a type to long.
CVE-2024-57259 is fixed by calculating the correct target size.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmjcd6UACgkQS80FZ8KW
0F0E1RAAvmBkyoTtU+pbViK8xJrBsaGCc72+63JP/NfJDeDnb1wZsK+SGY+FFuJG
ZhPT7F6syVsuM0wQaKp1yiFi3nsfCmHezObBmWpAm3XWZXXFhklANaTUahzacL/b
wfHVgFskkA+LVSD/QRaqlhodv3KsZEDCP+6eMzuZFA3GjIl2pD3vFPbPxsnP9bYP
dNQM9cm6fa6+Jks0CkEYgecPApOudlkpmbh7X7BcVs3eyaXU0glpdmukzqNtGNp8
hOD1nJ8lCtHySU3jLFZaiz6SFc3eo/RIHU36ljRjNxY5O1lVmMrchjQyj5c5CeT+
eX/6uVVpmvXZf/bRsG61o8M8gvTJtMUsEBBoBbqxfouEKENf2V0KLIotArQSODNg
EoqHgKnm4iehzxVHNfIkeNB99OY4F3+IJ9TbxrT5s8/IHXHEn2NsD5HHmLkNqyEd
VJ3oyZmgXKqf6a+Y1uC81MxTFh+IE+BGP7jh7nW8VfxesXMu+hqBNH2Iz3ya7UUP
F+/VWamRv6LXFwOITNQ3vK8LTgmAlU2A+cunHS8kY2qo2Tx4ev3EzaFIQAM6+pzl
GaNCgxRhPzgy26zs/0SgY4QdixZX33A5DLYUSiFKkKglgGYDo4RMGVufzlszdtot
IHAFWEcFPQ1r3KUZNcaEhLoel7zOP0pmB0hJfOaCN9eCqkjY9c0=
=VPQz
-----END PGP SIGNATURE-----
diff -Nru u-boot-2023.01+dfsg/debian/changelog u-boot-2023.01+dfsg/debian/changelog
--- u-boot-2023.01+dfsg/debian/changelog 2024-04-19 00:00:21.000000000 +0200
+++ u-boot-2023.01+dfsg/debian/changelog 2025-10-01 02:06:28.000000000 +0200
@@ -1,3 +1,24 @@
+u-boot (2023.01+dfsg-2+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS team.
+ * d/patches/CVE-2024-57254.patch: Add patch to fix CVE-2024-57254.
+ - Fix an integer overflow in sqfs_inode_size (closes: 1098254).
+ * d/patches/CVE-2024-57255.patch: Add patch to fix CVE-2024-57255.
+ - Fix an integer overflow in sqfs_resolve_symlink (closes: #1098254).
+ * d/patches/CVE-2024-57256.patch: Add patch to fix CVE-2024-57256.
+ - Fix an integer overflow in ext4fs_read_symlink (closes: #1098254).
+ * d/patches/CVE-2024-57257.patch: Add patch to fix CVE-2024-57257.
+ - Fix a stack consumption issue in sqfs_size possible with deep symlink
+ nesting (closes: #1098254).
+ * d/patches/CVE-2024-57258-1.patch, d/patches/CVE-2024-57258-2.patch,
+ d/patches/CVE-2024-57258-3.patch: Add patches to fx CVE-2024-57258.
+ - Fix multiple integer overflows (closes: #1098254).
+ * d/patches/CVE-2024-57259.patch: Add patch to fix CVE-2024-57259.
+ - Fix an off-by-one error resulting in a heap memory corruption in
+ sqfs_search_dir (closes: #1098254).
+
+ -- Daniel Leidert <dleidert@debian.org> Wed, 01 Oct 2025 02:06:28 +0200
+
u-boot (2023.01+dfsg-2+deb12u1) bookworm; urgency=medium
* debian/patches: Apply fix from upstream for orion-timer, affecting
diff -Nru u-boot-2023.01+dfsg/debian/gbp.conf u-boot-2023.01+dfsg/debian/gbp.conf
--- u-boot-2023.01+dfsg/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/gbp.conf 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/bookworm
+upstream-branch = upstream/bookworm
+pristine-tar = true
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57254.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,46 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:45 +0200
+Subject: squashfs: Fix integer overflow in sqfs_inode_size()
+
+A carefully crafted squashfs filesystem can exhibit an extremly large
+inode size and overflow the calculation in sqfs_inode_size().
+As a consequence, the squashfs driver will read from wrong locations.
+
+Fix by using __builtin_add_overflow() to detect the overflow.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57254
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57254
+---
+ fs/squashfs/sqfs_inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
+index d25cfb5..bb3ccd3 100644
+--- a/fs/squashfs/sqfs_inode.c
++++ b/fs/squashfs/sqfs_inode.c
+@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
+
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE: {
++ int size;
++
+ struct squashfs_symlink_inode *symlink =
+ (struct squashfs_symlink_inode *)inode;
+
+- return sizeof(*symlink) +
+- get_unaligned_le32(&symlink->symlink_size);
++ if (__builtin_add_overflow(sizeof(*symlink),
++ get_unaligned_le32(&symlink->symlink_size), &size))
++ return -EINVAL;
++
++ return size;
+ }
+
+ case SQFS_BLKDEV_TYPE:
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57255.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,52 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:44 +0200
+Subject: squashfs: Fix integer overflow in sqfs_resolve_symlink()
+
+A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
+as a consequence malloc() will do a zero allocation.
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57255
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57255
+---
+ fs/squashfs/sqfs.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 74ca70c..3c68d96 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -416,8 +416,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ char *resolved, *target;
+ u32 sz;
+
+- sz = get_unaligned_le32(&sym->symlink_size);
+- target = malloc(sz + 1);
++ if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
++ return NULL;
++
++ target = malloc(sz);
+ if (!target)
+ return NULL;
+
+@@ -425,9 +427,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ * There is no trailling null byte in the symlink's target path, so a
+ * copy is made and a '\0' is added at its end.
+ */
+- target[sz] = '\0';
++ target[sz - 1] = '\0';
+ /* Get target name (relative path) */
+- strncpy(target, sym->symlink, sz);
++ strncpy(target, sym->symlink, sz - 1);
+
+ /* Relative -> absolute path conversion */
+ resolved = sqfs_get_abs_path(base_path, target);
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57256.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,50 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 9 Aug 2024 11:54:28 +0200
+Subject: ext4: Fix integer overflow in ext4fs_read_symlink()
+
+While zalloc() takes a size_t type, adding 1 to the le32 variable
+will overflow.
+A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
+and as consequence zalloc() will do a zero allocation.
+
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57256
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57256
+---
+ fs/ext4/ext4_common.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
+index 1185cb2..e940d39 100644
+--- a/fs/ext4/ext4_common.c
++++ b/fs/ext4/ext4_common.c
+@@ -2183,13 +2183,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
+ struct ext2fs_node *diro = node;
+ int status;
+ loff_t actread;
++ size_t alloc_size;
+
+ if (!diro->inode_read) {
+ status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
+ if (status == 0)
+ return NULL;
+ }
+- symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
++
++ if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
++ return NULL;
++
++ symlink = zalloc(alloc_size);
+ if (!symlink)
+ return NULL;
+
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57257.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,226 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:47 +0200
+Subject: squashfs: Fix stack overflow while symlink resolving
+
+The squashfs driver blindly follows symlinks, and calls sqfs_size()
+recursively. So an attacker can create a crafted filesystem and with
+a deep enough nesting level a stack overflow can be achieved.
+
+Fix by limiting the nesting level to 8.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57257
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57257
+---
+ fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 3c68d96..5983284 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -24,7 +24,12 @@
+ #include "sqfs_filesystem.h"
+ #include "sqfs_utils.h"
+
++#define MAX_SYMLINK_NEST 8
++
+ static struct squashfs_ctxt ctxt;
++static int symlinknest;
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
+
+ static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
+ {
+@@ -502,7 +507,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ goto out;
+ }
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, token_list[j]);
+ if (!ret)
+ break;
+@@ -527,6 +532,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+
+ /* Check for symbolic link and inode type sanity */
+ if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ ret = -ELOOP;
++ goto out;
++ }
++
+ sym = (struct squashfs_symlink_inode *)table;
+ /* Get first j + 1 tokens */
+ path = sqfs_concat_tokens(token_list, j + 1);
+@@ -874,7 +884,7 @@ out:
+ return metablks_count;
+ }
+
+-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
+ {
+ unsigned char *inode_table = NULL, *dir_table = NULL;
+ int j, token_count = 0, ret = 0, metablks_count;
+@@ -969,7 +979,19 @@ out:
+ return ret;
+ }
+
++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++{
++ symlinknest = 0;
++ return sqfs_opendir_nest(filename, dirsp);
++}
++
+ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
++{
++ symlinknest = 0;
++ return sqfs_readdir_nest(fs_dirs, dentp);
++}
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+ {
+ struct squashfs_super_block *sblk = ctxt.sblk;
+ struct squashfs_dir_stream *dirs;
+@@ -1313,8 +1335,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
+ return datablk_count;
+ }
+
+-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+- loff_t *actread)
++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
++ loff_t len, loff_t *actread)
+ {
+ char *dir = NULL, *fragment_block, *datablock = NULL;
+ char *fragment = NULL, *file = NULL, *resolved, *data;
+@@ -1344,11 +1366,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ }
+
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+ sqfs_split_path(&file, &dir, filename);
+- ret = sqfs_opendir(dir, &dirsp);
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ goto out;
+ }
+@@ -1356,7 +1378,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+ /* For now, only regular files are able to be loaded */
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1405,9 +1427,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ break;
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE:
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ ret = -ELOOP;
++ goto out;
++ }
++
+ symlink = (struct squashfs_symlink_inode *)ipos;
+ resolved = sqfs_resolve_symlink(symlink, filename);
+- ret = sqfs_read(resolved, buf, offset, len, actread);
++ ret = sqfs_read_nest(resolved, buf, offset, len, actread);
+ free(resolved);
+ goto out;
+ case SQFS_BLKDEV_TYPE:
+@@ -1578,7 +1605,14 @@ out:
+ return ret;
+ }
+
+-int sqfs_size(const char *filename, loff_t *size)
++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
++ loff_t *actread)
++{
++ symlinknest = 0;
++ return sqfs_read_nest(filename, buf, offset, len, actread);
++}
++
++static int sqfs_size_nest(const char *filename, loff_t *size)
+ {
+ struct squashfs_super_block *sblk = ctxt.sblk;
+ struct squashfs_symlink_inode *symlink;
+@@ -1594,10 +1628,10 @@ int sqfs_size(const char *filename, loff_t *size)
+
+ sqfs_split_path(&file, &dir, filename);
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+- ret = sqfs_opendir(dir, &dirsp);
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ ret = -EINVAL;
+ goto free_strings;
+@@ -1605,7 +1639,7 @@ int sqfs_size(const char *filename, loff_t *size)
+
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1638,6 +1672,11 @@ int sqfs_size(const char *filename, loff_t *size)
+ break;
+ case SQFS_SYMLINK_TYPE:
+ case SQFS_LSYMLINK_TYPE:
++ if (++symlinknest == MAX_SYMLINK_NEST) {
++ *size = 0;
++ return -ELOOP;
++ }
++
+ symlink = (struct squashfs_symlink_inode *)ipos;
+ resolved = sqfs_resolve_symlink(symlink, filename);
+ ret = sqfs_size(resolved, size);
+@@ -1677,10 +1716,11 @@ int sqfs_exists(const char *filename)
+
+ sqfs_split_path(&file, &dir, filename);
+ /*
+- * sqfs_opendir will uncompress inode and directory tables, and will
++ * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ * return a pointer to the directory that contains the requested file.
+ */
+- ret = sqfs_opendir(dir, &dirsp);
++ symlinknest = 0;
++ ret = sqfs_opendir_nest(dir, &dirsp);
+ if (ret) {
+ ret = -EINVAL;
+ goto free_strings;
+@@ -1688,7 +1728,7 @@ int sqfs_exists(const char *filename)
+
+ dirs = (struct squashfs_dir_stream *)dirsp;
+
+- while (!sqfs_readdir(dirsp, &dent)) {
++ while (!sqfs_readdir_nest(dirsp, &dent)) {
+ ret = strcmp(dent->name, file);
+ if (!ret)
+ break;
+@@ -1705,6 +1745,12 @@ free_strings:
+ return ret == 0;
+ }
+
++int sqfs_size(const char *filename, loff_t *size)
++{
++ symlinknest = 0;
++ return sqfs_size_nest(filename, size);
++}
++
+ void sqfs_close(void)
+ {
+ sqfs_decompressor_cleanup(&ctxt);
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-1.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,46 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:45 +0200
+Subject: dlmalloc: Fix integer overflow in sbrk()
+
+Make sure that the new break is within mem_malloc_start
+and mem_malloc_end before making progress.
+ulong new = old + increment; can overflow for extremely large
+increment values and memset() can get wrongly called.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
+---
+ common/dlmalloc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index 41c7230..ce4e56d 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -604,6 +604,9 @@ void *sbrk(ptrdiff_t increment)
+ ulong old = mem_malloc_brk;
+ ulong new = old + increment;
+
++ if ((new < mem_malloc_start) || (new > mem_malloc_end))
++ return (void *)MORECORE_FAILURE;
++
+ /*
+ * if we are giving memory back make sure we clear it out since
+ * we set MORECORE_CLEARS to 1
+@@ -611,9 +614,6 @@ void *sbrk(ptrdiff_t increment)
+ if (increment < 0)
+ memset((void *)new, 0, -increment);
+
+- if ((new < mem_malloc_start) || (new > mem_malloc_end))
+- return (void *)MORECORE_FAILURE;
+-
+ mem_malloc_brk = new;
+
+ return (void *)old;
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-2.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,42 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:44 +0200
+Subject: dlmalloc: Fix integer overflow in request2size()
+
+req is of type size_t, casting it to long opens the door
+for an integer overflow.
+Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
+cause and overflow such that request2size() returns MINSIZE.
+
+Fix by removing the cast.
+The origin of the cast is unclear, it's in u-boot and ppcboot since ever
+and predates the CVS history.
+Doug Lea's original dlmalloc implementation also doesn't have it.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
+---
+ common/dlmalloc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index ce4e56d..6293500 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ /* pad request bytes into a usable size */
+
+ #define request2size(req) \
+- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+- (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
++ (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+ (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
+
+ /* Check if m has acceptable alignment */
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57258-3.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,39 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:43 +0200
+Subject: x86: Fix ptrdiff_t for x86_64
+
+sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
+by LONG_MIN/LONG_MAX.
+So, use the long type, also to match the rest of the Linux ecosystem.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57258
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57258
+---
+ arch/x86/include/asm/posix_types.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
+index dbcea7f..e1ed9bc 100644
+--- a/arch/x86/include/asm/posix_types.h
++++ b/arch/x86/include/asm/posix_types.h
+@@ -20,11 +20,12 @@ typedef unsigned short __kernel_gid_t;
+ #if defined(__x86_64__)
+ typedef unsigned long __kernel_size_t;
+ typedef long __kernel_ssize_t;
++typedef long __kernel_ptrdiff_t;
+ #else
+ typedef unsigned int __kernel_size_t;
+ typedef int __kernel_ssize_t;
+-#endif
+ typedef int __kernel_ptrdiff_t;
++#endif
+ typedef long __kernel_time_t;
+ typedef long __kernel_suseconds_t;
+ typedef long __kernel_clock_t;
diff -Nru u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch
--- u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch 1970-01-01 01:00:00.000000000 +0100
+++ u-boot-2023.01+dfsg/debian/patches/CVE-2024-57259.patch 2025-10-01 02:06:28.000000000 +0200
@@ -0,0 +1,40 @@
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 22:05:09 +0200
+Subject: squashfs: Fix heap corruption in sqfs_search_dir()
+
+res needs to be large enough to store both strings rem and target,
+plus the path separator and the terminator.
+Currently the space for the path separator is not accounted, so
+the heap is corrupted by one byte.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+Reviewed-By: Daniel Leidert <dleidert@debian.org>
+Origin: https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e
+Bug: https://www.openwall.com/lists/oss-security/2025/02/17/2
+Bug-Debian: https://bugs.debian.org/1098254
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-57259
+Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2024-57259
+---
+ fs/squashfs/sqfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 5983284..218ff8d 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -557,8 +557,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ ret = -ENOMEM;
+ goto out;
+ }
+- /* Concatenate remaining tokens and symlink's target */
+- res = malloc(strlen(rem) + strlen(target) + 1);
++ /*
++ * Concatenate remaining tokens and symlink's target.
++ * Allocate enough space for rem, target, '/' and '\0'.
++ */
++ res = malloc(strlen(rem) + strlen(target) + 2);
+ if (!res) {
+ ret = -ENOMEM;
+ goto out;
diff -Nru u-boot-2023.01+dfsg/debian/patches/series u-boot-2023.01+dfsg/debian/patches/series
--- u-boot-2023.01+dfsg/debian/patches/series 2024-04-18 23:28:30.000000000 +0200
+++ u-boot-2023.01+dfsg/debian/patches/series 2025-10-01 02:06:28.000000000 +0200
@@ -1,25 +1,22 @@
mx53loco
-
arndale/board-spl-rule.diff
-
test-imagetools-test-fixes
-
exynos/0001-arm-config-fix-default-console-only-to-specify-the-d.patch
-
riscv64/unmatched-prevent-relocating-initrd-and-fdt.patch
-
disable-fit-image-tests
-
rockchip/rockchip-inno-usb.patch
rockchip/rockchip-roc-pc-rk3399-Enable-rockchip-efuse-support.patch
-
qemu/efi-secure-boot.patch
-
fix-qemu-ppce500-with-binutils-2.38.patch
Makefile-Use-relative-paths-for-debugging-symbols.patch
-
tools-disable-video-logo
-
riscv64/vbe-Allow-probing-the-VBE-bootmeth-to-fail-in-OS-fixup.patch
-
upstream/0001-timer-orion-timer-Fix-problem-in-early_init_done.patch
+CVE-2024-57254.patch
+CVE-2024-57255.patch
+CVE-2024-57256.patch
+CVE-2024-57257.patch
+CVE-2024-57258-1.patch
+CVE-2024-57258-2.patch
+CVE-2024-57258-3.patch
+CVE-2024-57259.patch
Reply to: