SIMPLELINK-CC2640R2-SDK: Vulnerabilities CVE-2021-3420

Shota Chida

Part Number: SIMPLELINK-CC2640R2-SDK

Hello.

I have a question regarding a vulnerability in the CC2640R2 SDK.

According to the manifest below, I understood that the CC2640R2 SDK uses newlib.
https://software-dl.ti.com/simplelink/esd/simplelink_cc2640r2_sdk/5.30.00.03/exports/manifest_simplelink_cc2640r2_sdk_5_30_00_03.html

So my question is, does the vulnerability (CVE-2021-3420) related to newlib affect CC2640R2 SDK 5.30.00.03 ?
In addition, do any other newlib vulnerabilities (CVE-2019-1487X) affect CC2640R2 SDK 5.30.00.03 ?

Many thanks,

Shota

over 3 years ago

0 Clément over 3 years ago

TI__Guru** 101460 points

Hi Shota,

I'll have to consult my team. I'll be back to you tomorrow.

Please bear with me.

Best regards,

+1 Clément over 3 years ago in reply to Clément

TI__Guru** 101460 points

Hi Shota,

Looking at CVE-2021-3420, it seems like that is an issue with newlib in the Fedora Linux distribution. As we only rely on the standard lib functions of the toolchains we support and their own installations (TI ARM, TI Clang, IAR, GCC), CVE-2021-3420 does not apply. Same comment for the other vulnerabilities you have mentioned.

With that being said, we did have a similar issue like CVE-2021-3420 where integer overflows could result in a heap buffer overflow. Again it is not the same bug, but it is very similar: https://www.ti.com/lit/pdf/SWRA709

I hope this will help,

Best regards,

0 Shota Chida over 3 years ago in reply to Clément

Prodigy 10 points

Hello Clement,

Thanks to your reply, my issue has been solved. Thank you for your support.

Arm-based microcontrollers

Arm-based microcontrollers forum

SIMPLELINK-CC2640R2-SDK: Vulnerabilities CVE-2021-3420