Security update for u-boot SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20219-1 Final 1 1 2025-04-29T11:10:08Z current 2025-04-29T11:10:08Z 2025-04-29T11:10:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for u-boot This update for u-boot fixes the following issues: - CVE-2024-57256: Fixed integer overflow in U-Boot's ext4 symlink resolution function (bsc#1237284) - CVE-2024-57258: Fixed multiple integer overflows in U-Boot's memory allocator (bsc#1237287) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-302 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520219-1/ Link for SUSE-SU-2025:20219-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021110.html E-Mail link for SUSE-SU-2025:20219-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1237284 SUSE Bug 1237284 https://bugzilla.suse.com/1237287 SUSE Bug 1237287 https://www.suse.com/security/cve/CVE-2024-57256/ SUSE CVE CVE-2024-57256 page https://www.suse.com/security/cve/CVE-2024-57258/ SUSE CVE CVE-2024-57258 page SUSE Linux Micro 6.0 u-boot-rpiarm64-2023.04-2.1 u-boot-rpiarm64-doc-2023.04-2.1 u-boot-rpiarm64-2023.04-2.1 as a component of SUSE Linux Micro 6.0 u-boot-rpiarm64-doc-2023.04-2.1 as a component of SUSE Linux Micro 6.0 An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. CVE-2024-57256 SUSE Linux Micro 6.0:u-boot-rpiarm64-2023.04-2.1 SUSE Linux Micro 6.0:u-boot-rpiarm64-doc-2023.04-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520219-1/ https://www.suse.com/security/cve/CVE-2024-57256.html CVE-2024-57256 https://bugzilla.suse.com/1237284 SUSE Bug 1237284 Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. CVE-2024-57258 SUSE Linux Micro 6.0:u-boot-rpiarm64-2023.04-2.1 SUSE Linux Micro 6.0:u-boot-rpiarm64-doc-2023.04-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520219-1/ https://www.suse.com/security/cve/CVE-2024-57258.html CVE-2024-57258 https://bugzilla.suse.com/1237287 SUSE Bug 1237287