CVE-2020-8432

Published: 29 January 2020

In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
u-boot
Launchpad, Ubuntu, Debian
Upstream
Released (2020.01+dfsg-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2020.04+dfsg-2ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.denx.de/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f