On Wed, Aug 06, 2025 at 07:35:40AM +0700, rama wrote: > Dear DENX Team, > > I hope this message finds you well. > > I am writing to seek clarification regarding a recent CVE entry — > **CVE-2025-45512** — which claims a security issue in U-Boot version > v1.1.3, stating that it allows loading and executing arbitrary firmware > images without verifying cryptographic signatures. > > As far as I understand, U-Boot (especially older versions like v1.1.3) does > not perform any image signature verification by design unless specifically > configured to do so with FIT signatures or integrated into a secure boot > chain. > > Given this, I would like to ask: > > 1. Is CVE-2025-45512 (https://www.cve.org/CVERecord?id=CVE-2025-45512) an > officially acknowledged vulnerability by DENX or the U-Boot project?
No, it is not known or acknowledged and as far as I know was never reported. > 2. Do you consider the described behavior to be a vulnerability, or rather > a default characteristic of early U-Boot versions? > 3. Has this issue been addressed or mitigated in later U-Boot versions > (e.g., with FIT signature and RSA verification support)? > 4. Are there any recommended mitigations for users still using legacy > versions like v1.1.3? > > Understanding your stance would greatly help clarify the scope and risk > associated with this CVE. > > Thank you for your time and for your continued work on U-Boot. U-Boot v1.1.3 was released in 2005. I feel like that in and of itself should be enough of a "Don't do that for production". -- Tom
signature.asc
Description: PGP signature
