CVE-2022-33967

Name
CVE-2022-33967
Description
squashfs filesystem implementation of U-Boot versions from v2020.10-rc2 to v2022.07-rc5 contains a heap-based buffer overflow vulnerability due to a defect in the metadata reading process. Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.denx.de/project/u-boot/
MISC https://lists.denx.de/pipermail/u-boot/2022-June/487467.html
MISC https://jvn.jp/en/vu/JVNVU97846460/index.html
MISC https://source.denx.de/u-boot/u-boot/-/commit/7f7fb9937c6cb49dd35153bd6708872b390b0a44

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:denx:u-boot:2021.04:rc1:*:*:*:*:*:* u-boot == None == 2021.04
cpe:2.3:a:denx:u-boot:2022.07:rc2:*:*:*:*:*:* u-boot == None == 2022.07
cpe:2.3:a:denx:u-boot:2022.01:-:*:*:*:*:*:* u-boot == None == 2022.01
cpe:2.3:a:denx:u-boot:2020.10:rc2:*:*:*:*:*:* u-boot == None == 2020.10
cpe:2.3:a:denx:u-boot:2021.01:-:*:*:*:*:*:* u-boot == None == 2021.01
cpe:2.3:a:denx:u-boot:2022.04:-:*:*:*:*:*:* u-boot == None == 2022.04

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
u-boot 3.16-main 2022.04-r1 Milan P. Stanić <mps@arvanta.net> possibly vulnerable
u-boot 3.14-main 2021.04-r0 Milan P. Stanić <mps@arvanta.net> possibly vulnerable