common/password.c in Pengutronix barebox through 2021.07.0 leaks timing information because strncmp is used during hash comparison.
[
{
"id": "CVE-2021-37848-00cbff65",
"target": {
"file": "common/password.c"
},
"signature_version": "v1",
"source": "https://github.com/saschahauer/barebox/commit/a3337563c705bc8e0cf32f910b3e9e3c43d962ff",
"signature_type": "Line",
"digest": {
"line_hashes": [
"286483416564148237014664334187897996842",
"82341561494851006650848126628061910030",
"160300210200201742434445603001761179386",
"331255837984390417579900180276178061273",
"71206244788899728916889356691555085839",
"256458294048974650112929662464190582585",
"333251219697399135318302262459666338848",
"183776022809160989712221249666787241014",
"254544937353092481425502287652833645885",
"77921965859436756916281033906327323109",
"230797779611143726437514116441912154259",
"32386485479158884066927671304407540509"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "CVE-2021-37848-63c8d193",
"target": {
"function": "check_passwd",
"file": "common/password.c"
},
"signature_version": "v1",
"source": "https://github.com/saschahauer/barebox/commit/a3337563c705bc8e0cf32f910b3e9e3c43d962ff",
"signature_type": "Function",
"digest": {
"function_hash": "90977046801678930462450758757847571578",
"length": 1171.0
},
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37848.json"
"2026-04-11T18:44:51Z"
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2021.07.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2021.07.0"
}
]
}
]