USN-6523-1: u-boot-nezha vulnerability

Releases

• Ubuntu 23.04
• Ubuntu 22.04 LTS

Packages

• u-boot-nezha - U-Boot for Allwinner Nezha board

Details

It was discovered that U-Boot incorrectly handled certain USB DFU download
setup packets. A local attacker could use this issue to cause U-Boot to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-2347)

Nicolas Bidron and Nicolas Guigo discovered that U-Boot incorrectly handled
certain fragmented IP packets. A local attacker could use this issue to
cause U-Boot to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2022-30552, CVE-2022-30790)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.04

• u-boot-nezha - 2022.10-1089-g528ae9bc6c-0ubuntu1.23.04.2

Ubuntu 22.04

• u-boot-nezha - 2022.04+git20220405.7446a472-0ubuntu0.4

In general, a standard system update will make all the necessary changes.

References

• CVE-2022-30790
• CVE-2022-2347
• CVE-2022-30552

Related notices

• USN-5764-1: u-boot-qcom, u-boot-sifive, u-boot-exynos, u-boot-rockchip, u-boot-mvebu, u-boot-tools, u-boot-rpi, u-boot-stm32, u-boot-amlogic, u-boot-sunxi, u-boot-qemu, u-boot-omap, u-boot-imx, u-boot-microchip, u-boot-tegra, u-boot