January 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1218678] New: VUL-0: CVE-2022-36763: EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of co ...
by bugzilla_noreply＠suse.com 26 Apr '24

26 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1218678 Bug ID: 1218678 Summary: VUL-0: CVE-2022-36763: EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of co ... Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/390488/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: guillaume.gardet(a)opensuse.org Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: stoyan.manolov(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36763 https://www.cve.org/CVERecord?id=CVE-2022-36763 https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1218679] New: VUL-0: CVE-2022-36764: EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of con ...
by bugzilla_noreply＠suse.com 26 Apr '24

26 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1218679 Bug ID: 1218679 Summary: VUL-0: CVE-2022-36764: EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of con ... Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/390489/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: guillaume.gardet(a)opensuse.org Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: stoyan.manolov(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36764 https://www.cve.org/CVERecord?id=CVE-2022-36764 https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1218680] New: VUL-0: CVE-2022-36765: EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise ...
by bugzilla_noreply＠suse.com 26 Apr '24

26 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1218680 Bug ID: 1218680 Summary: VUL-0: CVE-2022-36765: EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise ... Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/390490/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: guillaume.gardet(a)opensuse.org Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: stoyan.manolov(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36765 https://www.cve.org/CVERecord?id=CVE-2022-36765 https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx -- You are receiving this mail because: You are on the CC list for the bug.

1 7

[Bug 1218887] New: VUL-0: CVE-2023-45237: edk2, ovmf: Use of a Weak PseudoRandom Number Generator
by bugzilla_noreply＠suse.com 25 Apr '24

25 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1218887 Bug ID: 1218887 Summary: VUL-0: CVE-2023-45237: edk2, ovmf: Use of a Weak PseudoRandom Number Generator Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/391385/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: guillaume.gardet(a)opensuse.org Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: stoyan.manolov(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45237 https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h https://www.cve.org/CVERecord?id=CVE-2023-45237 http://www.openwall.com/lists/oss-security/2024/01/16/2 https://bugzilla.redhat.com/show_bug.cgi?id=2258706 -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1219180] New: Missing framebuffer during boot on aarch64
by bugzilla_noreply＠suse.com 25 Apr '24

25 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1219180 Bug ID: 1219180 Summary: Missing framebuffer during boot on aarch64 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://openqa.opensuse.org/tests/3891664/modules/ansi ble/steps/31 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs(a)opensuse.org Reporter: fvogt(a)suse.com QA Contact: qa-bugs(a)suse.de CC: tzimmermann(a)suse.com Target Milestone: --- Found By: openQA Blocker: --- Unless the initrd is built with the platform native DRM driver (e.g. virtio_gpu), there is no graphical output during boot. This also means that entering a passphrase for unlocking the root fs is not possible. On x86 it uses the EFI framebuffer successfully, but on aarch64 dmesg has no trace of efifb/simplefb/simpledrm. ## Observation openQA test in scenario microos-Tumbleweed-MicroOS-Image-sdboot-aarch64-microos-wizard@aarch64 fails in [ansible](https://openqa.opensuse.org/tests/3891664/modules/ansible/steps/31) ## Test suite description Like MicroOS, but use neither combustion nor ignition for the intial configuration, so jeos-firstboot runs. ## Reproducible Fails since (at least) Build [20231129](https://openqa.opensuse.org/tests/3771195) ## Expected result Last good: [20231127](https://openqa.opensuse.org/tests/3763820) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=aarch64&distri=microo… -- You are receiving this mail because: You are on the CC list for the bug.

1 8

[Bug 1218158] New: yast-nfs-server hardcoded configuration file /etc/idmapd.conf
by bugzilla_noreply＠suse.com 23 Apr '24

23 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1218158 Bug ID: 1218158 Summary: yast-nfs-server hardcoded configuration file /etc/idmapd.conf Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers(a)suse.de Reporter: ana.guerrero(a)suse.com QA Contact: jsrain(a)suse.com Target Milestone: --- Found By: --- Blocker: --- nfs-client has moved its default configuration files from /etc to /usr/etc yast-nfs-server is expecting to find the default file at /etc/idmapd.conf see: https://github.com/yast/yast-nfs-server/blob/a7714580ccd9c6e2e4acdc62c4e0dd… and it fails, you can see it in this test: https://openqa.opensuse.org/tests/3819034#step/yast2_nfs_server/28 For reference, see: https://bugzilla.opensuse.org/show_bug.cgi?id=1216740 -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1217488] New: pynfs CID* tests fails: OP_SETCLIENTID should return NFS4_OK, instead got NFS4ERR_DELAY
by bugzilla_noreply＠suse.com 23 Apr '24

23 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1217488 Bug ID: 1217488 Summary: pynfs CID* tests fails: OP_SETCLIENTID should return NFS4_OK, instead got NFS4ERR_DELAY Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel:Filesystems Assignee: nfbrown(a)suse.com Reporter: petr.vorel(a)suse.com QA Contact: petr.vorel(a)suse.com Target Milestone: --- Found By: --- Blocker: --- Although we start due #1217128 testing via cdmackay/pynfs.git, which has fix for "nfs4lib.BadCompoundRes: operation OP_SETCLIENTID should return NFS4_OK [1], instead got NFS4ERR_DELAY", we still get 9 tests failing with this error on Tumbleweed. Any idea what could be wrong now? O I can ask Calum Mackay on linux-nfs if you're busy with more important stuff. [1] https://git.linux-nfs.org/?p=cdmackay/pynfs.git;a=commit;h=0d4d3fd0bb7a6386… -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1216740] New: nfs-client: move config to /usr
by bugzilla_noreply＠suse.com 22 Apr '24

22 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1216740 Bug ID: 1216740 Summary: nfs-client: move config to /usr Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: nfbrown(a)suse.com Reporter: lnussel(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- nfs-client ships several (sample) config files in /etc. Those should be removed nowadays. Just package the samples as %doc. The relevant ones should be shipped in /usr (e.g /usr/etc) instead. Bonus points for also supporting drop-ins. See also tracker bug 1208319 -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1213595] New: Live ISO does not creates Persistent storage
by bugzilla_noreply＠suse.com 22 Apr '24

22 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1213595 Bug ID: 1213595 Summary: Live ISO does not creates Persistent storage Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: x86-64 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Live Medium Assignee: fvogt(a)suse.com Reporter: sehsuvarselmanoglu(a)hotmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 868398 --> https://bugzilla.suse.com/attachment.cgi?id=868398&action=edit 7z File for some logs Hi, I downloaded OpenSUSE Leap ISO (openSUSE-Leap-15.5-KDE-Live-x86_64-Build10.40-Media.iso) at 08/06/2023 (as soon as released) then I “dd” to USB stick and plugged to computer and it worked fine. At first boot, it did create the persistent storage cow (boot.log : [ 22.002982] dracut-initqueue[877]: mke2fs 1.46.4 (18-Aug-2021) ) Few days later I download again this time build number was different (openSUSE-Leap-15.5-KDE-Live-x86_64-Build10.57-Media.iso). At first boot, it did not create persistent storage. dracut says (boot.log : [ 21.489260] dracut-initqueue[769]: Warning: Falling back to temporary overlay) same as the new release (openSUSE-Leap-15.5-KDE-Live-x86_64-Build10.73-Media.iso) Any release after 10.40 does not creates persistent storage (neither 10.53 nor 10.73) I tried with different CPU (AMD, Core Duo, I5) and different USB stick (4GB 8GB 16GB and 32GB) even with different port (USB2 USB3) with different USB s and so on. No matter what I tried don't work. Releases after 10.40 (10.57 or 10.73) do not creates the persistent storage. So I open discussion on the forums.opensuse.org and someone suggested that I need to open bug report. and he/she wrote "It is not something you can fix without recreating initrd. The script that is used here comes from kiwi dracut module.". I also add the 7zip file for each ISO "....10.40", "...10.57", "...10.73" that contains some log files. "boot.log" : "sudo cp /var/log/boot.log" "boot.msg" : "cp /var/log/boot.msg" "dmesg.txt" : Output of "dmesg" right after the first boot "fdisk.txt" : 0utput of "fdisk -l" right after first boot "journal.txt" : Output of "sudo journalctl --no-pager --full -b" Thank you very much. -- You are receiving this mail because: You are on the CC list for the bug.

1 13

[Bug 1213371] New: Dolphin cannot display HEIC images
by bugzilla_noreply＠suse.com 19 Apr '24

19 Apr '24

https://bugzilla.suse.com/show_bug.cgi?id=1213371 Bug ID: 1213371 Summary: Dolphin cannot display HEIC images Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: KDE Applications Assignee: opensuse-kde-bugs(a)opensuse.org Reporter: f.alexander.wilms(a)gmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Dolphin does not show thumbnails for .heic files. -- You are receiving this mail because: You are on the CC list for the bug.

1 5