On Thu, Apr 21, 2022 at 06:31:44AM +0000, Gan, Yau Wai wrote: > This is to report that CVE is detected during u-boot scanning. Sending to > open mailing list as get_maintainer suggested. > > The current zlib version used in u-boot contains CVE-2018-25032 [1]. > Corresponding fix in zlib mainline has been addressed in v1.2.12 [2]. > It is required to upgrade zlib in u-boot to that version or later to mitigate > the CVE. > > [1] https://www.cve.org/CVERecord?id=CVE-2018-25032 > [2] > https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
Please note that by default, no U-Boot binary is vulnerable to this as we only support using the zlib deflate (so, compress a file, not uncompress an archive) when CMD_ZIP is enabled. This is only true of the sandbox build. A patch to apply the fix from upstream would be most welcome, all the same. Thanks! -- Tom
signature.asc
Description: PGP signature
