Re: Updating cypress/brcm firmware in linux-firmware for CVE-2019-15126

[Hans de Goede]

Hi,

On 3/5/20 4:50 AM, Chi-Hsien Lin wrote:
> (+Chris)
>
> On 03/04/2020 7:45, Hans de Goede wrote:
> > Hi,
> >
> > On 2/26/20 11:16 PM, Hans de Goede wrote:
> > > Hello Cypress people,
> > >
> > > Can we please get updated firmware for
> > > brcm/brcmfmac4356-pcie.bin and brcm/brcmfmac4356-sdio.bin
> > > fixing CVE-2019-15126 as well as for any other affected
> > > models (the 4356 is explicitly named in the CVE description) ?
> > >
> > > The current Cypress firmware files in linux-firmware are
> > > quite old, e.g. for brcm/brcmfmac4356-pcie.bin linux-firmware has:
> > > version 7.35.180.176 dated 2017-10-23, way before the CVE
> > >
> > > Where as https://community.cypress.com/docs/DOC-19000 /
> > > cypress-fmac-v4.14.77-2020_0115.zip has:
> > > version 7.35.180.197 which presumably contains a fix (no changelog)
> >
> > Ping?
> >
> > The very old age of the firmware files in linux-firmware is really
> > UNACCEPTABLE and very irresponsible from a security POV. Please
> > fix this very soon.
> >
> > If you do not reply to this email I see no choice but to switch
> > the firmwares in linux-firmware over to the ones from the SDK which
> > you do regularly update, e.g. those from:
> > https://community.cypress.com/docs/DOC-19000
> >
> > Yes those are under an older, slightly different version of the Cypress
> > license, which is less then ideal, but that license is still acceptable
> > for linux-firmware (*) and since you are not providing any updates to
> > the special builds you have been doing for linux-firmware you are
> > really leaving us no option other then switching to the SDK version
> > of the firmwares.
>
> Hans,

<snip>

> Chris owns the Cypress firmware upstream strategy and will explain our going-forward strategy to you.

Ping? It has been a week and we have not heard anything from Chris about this yet?

Regards,

Hans