Bug 1144681 – VUL-1: CVE-2019-13105: u-boot: double-free a cached block of data when listing files in a crafted ext4 filesystem

Bug 1144681 - (CVE-2019-13105) VUL-1: CVE-2019-13105: u-boot: double-free a cached block of data when listing files in a crafted ext4 filesystem

(CVE-2019-13105)
Summary:	VUL-1: CVE-2019-13105: u-boot: double-free a cached block of data when listin...

Status:	RESOLVED UPSTREAM

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Matthias Brugger
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/239126/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-08-07 12:40 UTC by Alexandros Toptsoglou
Modified:	2019-08-12 13:13 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-08-07 12:40:09 UTC

CVE-2019-13105

Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a cached
block of data when listing files in a crafted ext4 filesystem.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13105
https://github.com/u-boot/u-boot/commits/master
https://lists.denx.de/pipermail/u-boot/2019-July/375513.html
https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75

Comment 1 Alexandros Toptsoglou 2019-08-07 12:42:16 UTC

affects only version 2019.07. Tw ships 2019.04. The fix can be found at [1]. 
Closing as resolved --> upstream