Re: The same bug.
You might find this helpful: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
Thanks, Doc!
Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm's CPUs are affected, while the Meltdown paper doesn't conclude either way.
El'Reg, I think you have to understand, we have three CVE's, two l33t names for these vulns, Spectre and Meltdown.
The only CPU's affected by Meltdown are All recent Intel CPU's, from 2010 on (at the very least), and a AMD Pro CPU with jit (just in time compiler) enabled (which is disabled by default).
Spectre is a more generic vuln that affects a bunch of CPU designers/vendors including Intel, AMD, ARM, IBM, and Qualcomm.
What is the difference between Spectre and Meltdown ?
Meltdown exploits are globally easier to implement than Spectre.
Meltdown takes advantage of memory reads in out-of-order instructions, Spectre acts on the branch prediction mechanism.
Spectre allows for cross/intra process memory disclosure, Meltdown allows disclosure of kernel memory to the user-space processes (normally not accessible).
Meltdown has a known software mitigation.
Both rely on a cache side-channel attack, which is a measure of timing differences when accessing certain blocks of memory to deduce the information otherwise unknown.
More gory details available here, idiot-proof read:
https://security.stackexchange.com/questions/176803/meltdown-and-spectre-vulnerabilities