Awesome, thanks for the update! On Tue, Feb 25, 2025, 9:59 AM Tom Rini <tr...@konsulko.com> wrote:
> On Sat, Feb 22, 2025 at 12:47:45PM -0800, Jonathan Bar Or wrote: > > > Hello Tom and team, > > > > Looks like all of the issues were fixed and merged - am I correct? > > I intend to make a public disclosure March 19th, is that okay? > > Yes, I've merged all of the patches I'm aware of at this point. > > > > > Best, > > Jonathan > > > > On Fri, Feb 14, 2025 at 7:24 PM Jonathan Bar Or <jonathanba...@gmail.com> > wrote: > > > > > > Please disregard the previous message, those are the actual CVE > numbers: > > > > > > - CVE-2025-26726 :SquashFS directory table parsing buffer overflow > > > - CVE-2025-26727: SquashFS inode parsing buffer overflow. > > > - CVE-2025-26728: SquashFS nested file reading buffer overflow. > > > - CVE-2025-26729: EroFS symlink resolution buffer overflow. > > > > > > Best regards, > > > Jonathan > > > > > > > > > On Fri, Feb 14, 2025 at 7:17 PM Jonathan Bar Or < > jonathanba...@gmail.com> wrote: > > > > > > > > Hi folks. > > > > > > > > Here are the CVEs assigned by MITRE: > > > > - CVE-2025-26721: buffer overflow in the persistent storage for file > creation > > > > - CVE-2025-26722: buffer overflow in SquashFS symlink resolution > > > > - CVE-2025-26723: buffer overflow in EXT4 symlink resolution > > > > - CVE-2025-26724: buffer overflow in CramFS symlink resolution > > > > - CVE-2025-26724: buffer overflow in JFFS2 dirent parsing > > > > > > > > Best regards, > > > > Jonathan > > > > > > > > On Wed, Feb 12, 2025 at 12:24 AM Miquel Raynal > > > > <miquel.ray...@bootlin.com> wrote: > > > > > > > > > > Hello Tom, > > > > > > > > > > On 11/02/2025 at 15:29:09 -06, Tom Rini <tr...@konsulko.com> > wrote: > > > > > > > > > > > On Tue, Feb 11, 2025 at 08:26:37AM -0800, Jonathan Bar Or wrote: > > > > > >> Hi Tom and the rest of the team, > > > > > >> > > > > > >> Please let me know about fix time, whether this is acknowledged > and > > > > > >> whether you're going to request CVE IDs for those or if I > should do > > > > > >> it. > > > > > >> The reason is that I found similar issues in other bootloaders, > so I'm > > > > > >> trying to synchronize all of them. For what it's worth, Barebox > has > > > > > >> similar issues and are currently fixing. > > > > > > > > > > > > Yes, these seem valid. We don't have a CVE requesting authority > so if > > > > > > you want them, go ahead and request them. You saw Gao Xiang's > response > > > > > > for erofs, and I'm hoping one of the squashfs maintainers will > chime > > > > > > in. > > > > > > > > > > Either João or me, we will have a look. > > > > > > > > > > Thanks, > > > > > Miquèl > > -- > Tom >
