Bug 1099264 (CVE-2018-1000205) - VUL-0: CVE-2018-1000205: u-boot: U-Boot contains a CWE-20: Improper Input Validation vulnerability in Verifiedboot signature validation
Summary: VUL-0: CVE-2018-1000205: u-boot: U-Boot contains a CWE-20: Improper Input Val...
Status: RESOLVED UPSTREAM
Alias: CVE-2018-1000205
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Alexander Graf
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/208920/
Whiteboard: CVSSv3:SUSE:CVE-2018-1000205:5.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-27 09:00 UTC by Marcus Meissner
Modified: 2018-12-03 02:52 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-27 09:00:36 UTC 
CVE-2018-1000205

U-Boot contains a CWE-20: Improper Input Validation vulnerability in Verified
boot signature validation that can result in Bypass verified boot. This attack
appear to be exploitable via Specially crafted FIT image and special device
memory functionality.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000205
https://lists.denx.de/pipermail/u-boot/2018-June/330898.html
https://lists.denx.de/pipermail/u-boot/2018-June/330454.html
Comment 1 Alexander Graf 2018-06-27 10:03:04 UTC 
We don't use FIT in our boot process, so I assume this is not needed.
Comment 2 Marcus Meissner 2018-06-27 11:12:11 UTC 
i marked us as not affected. closing