Source: arm-trusted-firmware
Version: 2.10.0+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: ***@debian.org, Debian Security Team <***@security.debian.org>

Hi,

The following vulnerabilities were published for arm-trusted-firmware.

CVE-2024-6563[0]:
| Buffer Copy without Checking Size of Input ('Classic Buffer
| Overflow') vulnerability in Renesas arm-trusted-firmware allows
| Local Execution of Code. This vulnerability is associated with
| program files https://github.Com/renesas-rcar/arm-trusted-
| firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/i...
| https://github.Com/renesas-rcar/arm-trusted-
| firmware/blob/rcar_gen3_v2.5/drivers/renesas/common/io/io_rcar.C .
| In line 313 "addr_loaded_cnt" is checked not to be
| "CHECK_IMAGE_AREA_CNT" (5) or larger, this check does not halt the
| function. Immediately after (line 317) there will be an overflow in
| the buffer and the value of "dst" will be written to the area
| immediately after the buffer, which is "addr_loaded_cnt". This will
| allow an attacker to freely control the value of "addr_loaded_cnt"
| and thus control the destination of the write immediately after
| (line 318). The write in line 318 will then be fully controlled by
| said attacker, with whichever address and whichever value ("len")
| they desire.


CVE-2024-6564[1]:
| Buffer overflow in "rcar_dev_init" due to using due to using
| untrusted data (rcar_image_number) as a loop counter before
| verifying it against RCAR_MAX_BL3X_IMAGE. This could lead to a full
| bypass of secure boot.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-6563
https://www.cve.org/CVERecord?id=CVE-2024-6563
[1] https://security-tracker.debian.org/tracker/CVE-2024-6564
https://www.cve.org/CVERecord?id=CVE-2024-6564

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore