Your message dated Wed, 08 Jan 2025 00:50:57 +0000
with message-id <[email protected]>
and subject line Bug#1074431: fixed in arm-trusted-firmware 2.12.0+dfsg-1
has caused the Debian Bug report #1074431,
regarding arm-trusted-firmware: CVE-2024-6287 CVE-2024-6285
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1074431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074431
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: arm-trusted-firmware
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for arm-trusted-firmware.
CVE-2024-6287[0]:
| Incorrect Calculation vulnerability in Renesas arm-trusted-firmware
| allows Local Execution of Code. When checking whether a new image
| invades/overlaps with a previously loaded image the code neglects to
| consider a few cases. that could An attacker to bypass memory range
| restriction and overwrite an already loaded image partly or
| completely, which could result in code execution and bypass of
| secure boot.
https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04
https://asrg.io/security-advisories/cve-2024-6287-incorrect-address-range-calculations-in-renesas-rcar/
CVE-2024-6285[1]:
| Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-
| trusted-firmware. An integer underflow in image range check
| calculations could lead to bypassing address restrictions and
| loading of images to unallowed addresses.
https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b
https://asrg.io/security-advisories/cve-2024-6285-integer-underflow-in-memory-range-check-in-renesas-rcar/
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-6287
https://www.cve.org/CVERecord?id=CVE-2024-6287
[1] https://security-tracker.debian.org/tracker/CVE-2024-6285
https://www.cve.org/CVERecord?id=CVE-2024-6285
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: arm-trusted-firmware
Source-Version: 2.12.0+dfsg-1
Done: Vagrant Cascadian <[email protected]>
We believe that the bug you reported is fixed in the latest version of
arm-trusted-firmware, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <[email protected]> (supplier of updated
arm-trusted-firmware package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Jan 2025 16:11:32 -0800
Source: arm-trusted-firmware
Architecture: source
Version: 2.12.0+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Vagrant Cascadian <[email protected]>
Changed-By: Vagrant Cascadian <[email protected]>
Closes: 1074431 1076042
Changes:
arm-trusted-firmware (2.12.0+dfsg-1) experimental; urgency=medium
.
* New upstream release. (Closes: #1074431, #1076042)
Fixes CVE-2024-6563 CVE-2024-6564 CVE-2024-6287 CVE-2024-6285
.
[ Diederik de Haas ]
* debian/patches: Don't ignore '*.patch' files in debian/patches
* d/watch: Switch to mode=git
.
[ Vagrant Cascadian ]
* debian/patches: Refresh use-ldflags-with-fiptool-and-cert-create.
* Remove unlicensed binary
plat/arm/board/common/swd_rotpk/arm_swd_rotpk_rsa_sha256.bin
* debian/patches: Add patch working around undefined "PLAT_MSG".
* debian/patches: Disable fatal warnings passed via ASFLAGS to
workaround build failure. Thanks to Marek
Vasut. https://bugs.debian.org/1091147
* debian/rules: Drop passing --no-warn-rwx-segments via TF_LDFLAGS. It
is now detected in the upstream code weather this flag is supported.
* debian/copyright: Update for 2.12.0.
* debian/rules: Temporarily disable building of rcar target.
* debian/control: Update to Standards Version 4.7.0.
Checksums-Sha1:
f587e0e558a03d952d5563dfdd97d828b45b52ac 1672
arm-trusted-firmware_2.12.0+dfsg-1.dsc
4e7d118d3820ca19844a89c56c4603c1c50b1bb8 8035612
arm-trusted-firmware_2.12.0+dfsg.orig.tar.xz
490593d2cc3b2fb87e8ab6fdb00ccdcf0cfbe27d 10840
arm-trusted-firmware_2.12.0+dfsg-1.debian.tar.xz
4738bca5e7f7662b596fee985755d82bcb578056 5729
arm-trusted-firmware_2.12.0+dfsg-1_amd64.buildinfo
Checksums-Sha256:
770b725fa1c116732f23de70d8c1b22d27e4b41211bc854e216d4e3a91c02575 1672
arm-trusted-firmware_2.12.0+dfsg-1.dsc
03d02a6122e36eae080a944da1b2202797b70f612d71e24442b14e7ce66e9cfd 8035612
arm-trusted-firmware_2.12.0+dfsg.orig.tar.xz
34cce0eb5c5d87a376f53d00d0b4112223d819165fb6c382e144476239121df9 10840
arm-trusted-firmware_2.12.0+dfsg-1.debian.tar.xz
f616468939e77de066b8ac373192f0c92591a971454aa69bb3077d5eab745aa7 5729
arm-trusted-firmware_2.12.0+dfsg-1_amd64.buildinfo
Files:
4315a1e289308f3fde21bb8966f838a8 1672 admin optional
arm-trusted-firmware_2.12.0+dfsg-1.dsc
37370e47f03466f07ed2cf5ca5851e22 8035612 admin optional
arm-trusted-firmware_2.12.0+dfsg.orig.tar.xz
4a1f6b52b1019b4147e71c1375083ba4 10840 admin optional
arm-trusted-firmware_2.12.0+dfsg-1.debian.tar.xz
6a077f8d3bb39799b6f7d22b5621c220 5729 admin optional
arm-trusted-firmware_2.12.0+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iIkEARYKADEWIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCZ33FIBMcdmFncmFudEBk
ZWJpYW4ub3JnAAoJENxRj8h/lxaq/mUBAJLoliD+4LIOYNOWCc0ZZ/AuYtPLnrph
j8wEIG6aZrDyAQCRnpfP4T+dXX+QaEEk+AJlmHp0EDZasTKO8nb8bye+CA==
=3xXs
-----END PGP SIGNATURE-----
pgpzA2ehO9peE.pgp
Description: PGP signature
--- End Message ---
