Your submission was sent successfully! Close

CVE-2020-8432

Published: 29 January 2020

In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c do_rename_gpt_parts() function. Double freeing may result in a write-what-where condition, allowing an attacker to execute arbitrary code. NOTE: this vulnerablity was introduced when attempting to fix a memory leak identified by static analysis.

Notes

AuthorNote
mdeslaur
per thread, introduced by:
https://gitlab.denx.de/u-boot/u-boot/commit/18030d04
Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
u-boot
Launchpad, Ubuntu, Debian
bionic
Released (2020.10+dfsg-1ubuntu0~18.04.2)
eoan Ignored
(reached end-of-life)
focal
Released (2021.01+dfsg-3ubuntu0~20.04.3)
groovy Not vulnerable
(2020.04+dfsg-2ubuntu1)
hirsute Not vulnerable
(2020.04+dfsg-2ubuntu1)
impish Not vulnerable
(2020.04+dfsg-2ubuntu1)
jammy Not vulnerable
(2020.04+dfsg-2ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (2020.01+dfsg-1)
xenial Not vulnerable
(code not present)
Patches:
upstream: https://gitlab.denx.de/u-boot/u-boot/commit/5749faa3d6837d6dbaf2119fc3ec49a326690c8f