June 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1225690] New: VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 125.0.6422.141
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1225690 Bug ID: 1225690 Summary: VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 125.0.6422.141 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: andrea.mattiazzo(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- The Stable channel has been updated to 125.0.6422.141/.142 for Windows, Mac and 125.0.6422.141 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 11 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. - CVE-2024-5493: Heap buffer overflow in WebRTC. - CVE-2024-5494: Use after free in Dawn. - CVE-2024-5495: Use after free in Dawn. - CVE-2024-5496: Use after free in Media Session. - CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. - CVE-2024-5498: Use after free in Presentation API. - CVE-2024-5499: Out of bounds write in Streams API. As usual, our ongoing internal security work was responsible for a wide range of fixes: [343518382] Various fixes from internal audits, fuzzing and other initiatives Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL. [0] https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-des… -- You are receiving this mail because: You are on the CC list for the bug.

1 6

[Bug 1227174] New: VUL-0: CVE-2024-39705: python-nltk: remote code execution through the integrated data package download functionality
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227174 Bug ID: 1227174 Summary: VUL-0: CVE-2024-39705: python-nltk: remote code execution through the integrated data package download functionality Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412359/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: python-maintainers(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39705 https://www.cve.org/CVERecord?id=CVE-2024-39705 https://github.com/nltk/nltk/issues/2522 https://github.com/nltk/nltk/issues/3266 https://bugzilla.redhat.com/show_bug.cgi?id=2294671 -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1222468] New: VUL-0: CVE-2024-22189: caddy: quic-go: memory exhaustion attack against QUIC's connection ID mechanism
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1222468 Bug ID: 1222468 Summary: VUL-0: CVE-2024-22189: caddy: quic-go: memory exhaustion attack against QUIC's connection ID mechanism Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other URL: https://smash.suse.de/issue/400376/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: alexandre.vicenzi(a)suse.com Reporter: camila.matos(a)suse.com QA Contact: qa-bugs(a)suse.de CC: camila.matos(a)suse.com, jkowalczyk(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1222461 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1222461 +++ quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22189 https://www.cve.org/CVERecord?id=CVE-2024-22189 https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c… https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-manageme… https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s https://bugzilla.redhat.com/show_bug.cgi?id=2273513 -- You are receiving this mail because: You are on the CC list for the bug.

1 10

[Bug 1225938] New: Package python311-css-parser missing - needed by Gajim
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1225938 Bug ID: 1225938 Summary: Package python311-css-parser missing - needed by Gajim Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Python Assignee: python-maintainers(a)suse.com Reporter: holgi(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Package python311-css-parser missing - needed by Gajim -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1226099] New: VUL-0: CVE-2024-5742: nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1226099 Bug ID: 1226099 Summary: VUL-0: CVE-2024-5742: nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/409081/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: crrodriguez(a)opensuse.org Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- When nano is killed while it has a modified buffer, it saves this buffer to an emergency .save file and then chmods and chowns this file to the permissions and owner of the original file. This means that when nano is run as root and edits a user-owned file in a directory that is writable by that user, it gives a malicious user a window of opportunity to replace the .save file with a malicious symlink to a root-owned file. To be exploitable, it requires that the malicious user is able to kill the nano run by root. The original reporters of the problem said this: We think it will mostly have an impact on multi-user systems. Where an admin might open a user's file -- for example to fix a broken config file. This could be in a user directory, requiring the admin to either become the user, or become root. If an admin does the latter, this attack can be performed - as long as the user can kill nano of course. One such example might be when root is logged in over `ssh` to a low-privilege user machine and the user can turn off the wifi on that machine. https://bugzilla.redhat.com/show_bug.cgi?id=2277586 https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5d… References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5742 https://bugzilla.redhat.com/show_bug.cgi?id=2278574 -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1220403] New: VUL-0: CVE-2024-23837: libhtp: excessive processing time of HTTP headers can lead to denial of service
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1220403 Bug ID: 1220403 Summary: VUL-0: CVE-2024-23837: libhtp: excessive processing time of HTTP headers can lead to denial of service Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/395171/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: otto.hollmann(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: carlos.lopez(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- LibHTP is a security-aware parser for the HTTP protocol. Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. This issue is addressed in 0.5.46. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23837 https://www.cve.org/CVERecord?id=CVE-2024-23837 https://github.com/OISF/libhtp/commit/20ac301d801cdf01b3f021cca08a22a87f477… https://github.com/OISF/libhtp/security/advisories/GHSA-f9wf-rrjj-qx8m https://redmine.openinfosecfoundation.org/issues/6444 -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1227167] New: VUL-0: CVE-2024-24792: keybase-client: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227167 Bug ID: 1227167 Summary: VUL-0: CVE-2024-24792: keybase-client: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: marix(a)marix.org Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1227158 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1227158 +++ Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1223398] New: VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1223398 Bug ID: 1223398 Summary: VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/403162/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Other Assignee: axel.braun(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- An out-of-bounds write vulnerability exists in the JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1935 -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1223260] New: SELinux denies pcp
by bugzilla_noreply＠suse.com 22 Aug '24

22 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1223260 Bug ID: 1223260 Summary: SELinux denies pcp Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: felix.niederwanger(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 874416 --> https://bugzilla.suse.com/attachment.cgi?id=874416&action=edit ausearch -ts boot -m avc On MicroOS starting pmlogger with SELinux in enforcing mode fails with several SELinux related denials > Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger... > Apr 22 13:14:01 microos rc[2682]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.d9N3i7aLW/tmp: Permission denied > Apr 22 13:14:01 microos rc[2750]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.7vdZJLmGN/pmcheck.out: Permission denied > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'. > Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger. > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Scheduled restart job, restart counter is at 1. > Apr 22 13:14:01 microos systemd[1]: Stopped Performance Metrics Archive Logger. > Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger... > Apr 22 13:14:01 microos rc[2958]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.yWYJd9JBe/tmp: Permission denied > Apr 22 13:14:01 microos rc[2991]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.OcmNVcLdA/pmcheck.out: Permission denied > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'. > Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger. > ... I'm attaching the output of ausearch -ts boot -m avc, failures are coming from the rc program and related to tmp and pmcheck.out. -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1219527] New: abcde breaks on non-octal track numbers
by bugzilla_noreply＠suse.com 22 Aug '24

22 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1219527 Bug ID: 1219527 Summary: abcde breaks on non-octal track numbers Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: x86-64 OS: openSUSE Leap 15.5 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: geoff(a)cs.hmc.edu QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 872425 --> https://bugzilla.suse.com/attachment.cgi?id=872425&action=edit Patch to /usr/bin/abcde abcde pads track numbers with a leading zero but later does some bash arithmetic on the track number. That breaks for track numbers 8 and 9, because 09 isn't an octal number. Reproduce by inserting an 8+ track CD and running "abcde -T 1 8-8". The attached patch will correct the problem for any CD having 99 or fewer tracks. (As far as I know, 99 is the track limit for CDs, though I definitely could be wrong.) -- You are receiving this mail because: You are on the CC list for the bug.

1 1