+Tom Hi Paul,
On Tue, 12 May 2026 at 04:39, Paul Barker <[email protected]> wrote: > > Hi folks, > > We recently had a patch sent to Yocto Project to backport a fix for > CVE-2025-24857 to our Scarthgap branch which uses U-Boot 2024.01. > Looking at the CVE info, this has confused me a lot. It says [1]: > > Improper access control for volatile memory containing boot code in > Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips > IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 > could allow an attacker to execute arbitrary code. > > The NVD page says it affects U-Boot "Up to (excluding) 2017.11". > > But, the patch that says it addresses CVE-2025-24867 was committed to > U-Boot in December 2025 [2]. The first release containing this patch was > v2026.01. > > Is this commit actually needed to resolve that CVE? Or is it some other > change back in 2017 that fixed the issue? (A yes/no is fine, I don't > need a link to the exact commit) I believe this was the commit, from December 2016, which landed in 2017.01: 6c1a808052b fs/fat: Avoid corruption of sectors following the FAT Tom's recent commit in [2] was just a belt-and-braces check on top. Regards, Simon > > [1]: https://nvd.nist.gov/vuln/detail/CVE-2025-24857 > [2]: > https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2
