June 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1227174] New: VUL-0: CVE-2024-39705: python-nltk: remote code execution through the integrated data package download functionality
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227174 Bug ID: 1227174 Summary: VUL-0: CVE-2024-39705: python-nltk: remote code execution through the integrated data package download functionality Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412359/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: python-maintainers(a)suse.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39705 https://www.cve.org/CVERecord?id=CVE-2024-39705 https://github.com/nltk/nltk/issues/2522 https://github.com/nltk/nltk/issues/3266 https://bugzilla.redhat.com/show_bug.cgi?id=2294671 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1227132] Leap 15.6 installation lost Display port output
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227132 https://bugzilla.suse.com/show_bug.cgi?id=1227132#c7 --- Comment #7 from Terje J. Hanssen <terjejhanssen(a)gmail.com> --- (In reply to Felix Miata from comment #6) > Do you ever use this Asus with any other computer, such as one that has DVI > output but no DP output? Do you keep a DVI cable connected to this Asus > whether or not it is also connected to any computer? I have now this Asus connected to the normal, rebuild and upgraded computer with quite new hardware (Z790 mobo, i12 and Arc A750 gpu). A750 does have HDMI and DP ports, but no DVI-D. Asus receives input from HDMI connected, which also wakes up the monitor with a bip at boot. With only a Display Port connection, Asus receives no signal from this gpu/computer, neither when I select this manually. The other MSI/Nvidia computer is relocated and connected to its normal, simpler monitor Philips 244E. It works as it should with DVI-D connection, and I have also tested it with the same USB boot installation session. However, I posted this bug because as long as the USB boot installation menu displayed ok over DP to Asus, I found it illogical it should loose this connection during the selected install or upgrade session. Does the Asus have a > firmware update available? When trying to install, were you cold booting the > installation media into installation with no interruptions for cable > switching or display control button pushing? Some monitors can be quirky > when their connectivity is inconsistent. Yours has 4 video inputs from which > to select, and a wealth of features, a formula for a normally dormant > firmware defect to cause inexplicable behavior. I don't remember if Asus ever has had a firmware upgrade, possibly not via Linux I would guess. The benefit with the Asus connections is its flexibility with new and old hardware and for multimedia work. I use also testing my authored and burned BD/DVD discs in standalene players connected via HDMI, -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1225278] Firefox's Search Provider doesn't work on GNOME (and possibly other DEs)
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1225278 https://bugzilla.suse.com/show_bug.cgi?id=1225278#c2 Martin Sirringhaus <martin.sirringhaus(a)suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(ant.romano(a)pm.me) --- Comment #2 from Martin Sirringhaus <martin.sirringhaus(a)suse.com> --- I have a potential fix in my home branch: https://build.opensuse.org/package/show/home:MSirringhaus:branches:mozilla:… It is currently still building, but once it's finished, could you try it out Antonio? -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1227158] New: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227158 Bug ID: 1227158 Summary: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: brunopitrus(a)hotmail.com Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.

1 14

[Bug 1227164] New: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227164 Bug ID: 1227164 Summary: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: brunopitrus(a)hotmail.com Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1227158 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1227158 +++ Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1122683] AUDIT-FIND: osc: deprecate insecure APIs
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1122683 https://bugzilla.suse.com/show_bug.cgi?id=1122683#c5 --- Comment #5 from OBSbugzilla Bot <bwiedemann+obsbugzillabot(a)suse.com> --- This is an autogenerated message for OBS integration: This bug (1122683) was mentioned in https://build.opensuse.org/request/show/1183845 Tools / osc -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1227124] New: XWayland applications appear blurry and have resolution issues when fractional scaling is enabled under GNOME
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227124 Bug ID: 1227124 Summary: XWayland applications appear blurry and have resolution issues when fractional scaling is enabled under GNOME Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Major Priority: P5 - None Component: GNOME Assignee: gnome-bugs(a)suse.de Reporter: reiokorn(a)tutanota.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Summary: When fractional scaling is enabled on GNOME (experimental option), XWayland applications, such as Steam, OnlyOffice, and Wine, experience significant usability issues. These include blurry appearance and the inability to set native resolutions for games. Description: When fractional scaling is enabled on GNOME: 1. Blurriness: Applications not yet on Wayland, like Steam and OnlyOffice, appear blurry when using XWayland. 2. Resolution Issues in Wine: For gaming applications running on Wine (also not yet on Wayland), the native resolution option becomes unavailable. Users are forced to choose between: - 200% scaling with 0.75 font scaling (equivalent to 150%) - 100% scaling with 1.5 font scaling This forces users to decide between larger fonts or larger icons, neither of which is ideal. Additional Issues: - While Wayland-native applications work as expected, XWayland applications face these issues. - The mentioned scaling options work for GTK applications, but QT applications become too small and require additional scaling adjustments through environment variables. Potential Fix: There is a pending merge request that aims to allow XWayland applications to scale themselves, which could circumvent these issues: [GNOME Mutter Merge Request #3567](https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/3567). Steps to Reproduce: 1. Enable fractional scaling on GNOME. 2. Launch any XWayland application (e.g., Steam or OnlyOffice). 3. Observe the blurry appearance. 4. Attempt to set native resolution in a game running on Wine and observe the unavailability of native resolution options. Expected Results: XWayland applications should scale properly and maintain clarity, and users should be able to set native resolutions in Wine without being forced to choose between suboptimal scaling options. Actual Results: XWayland applications appear blurry, and native resolution options are unavailable in Wine when fractional scaling is enabled. System Information: - OS: openSUSE Tumbleweed # VERSION="20240625" - Desktop Environment: GNOME - Fractional Scaling: Enabled - Applications Affected: Steam, OnlyOffice, Wine (among others) This issue significantly impacts user experience, requiring cumbersome workarounds and affecting a broad range of applications, when using a HiDPI monitor and the need to use fractional scaling on GNOME to make it usable. -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1227173] New: [Build 20240627] Wrong colours in the landscape after partitioning
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227173 Bug ID: 1227173 Summary: [Build 20240627] Wrong colours in the landscape after partitioning Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: S/390-64 URL: https://openqa.opensuse.org/tests/4305473/modules/part itioning_finish/steps/1 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers(a)suse.de Reporter: ada.lovelace(a)gmx.de QA Contact: jsrain(a)suse.com Target Milestone: --- Found By: openQA Blocker: Yes ## Observation The openQA test is failing because the world map with the sea after finishing partitioning is brown coloured instead of with beautiful blue water. That seems to be wrong (a bug). openQA test in scenario opensuse-Tumbleweed-DVD-s390x-textmode-server@s390x-zVM-vswitch-l2 fails in [partitioning_finish](https://openqa.opensuse.org/tests/4305473/modules/part… ## Test suite description The base test suite is used for job templates defined in YAML documents. It has no settings of its own. ## Reproducible Fails since (at least) Build [20240606](https://openqa.opensuse.org/tests/4255925) ## Expected result Last good: [20240531](https://openqa.opensuse.org/tests/4243619) (or more recent) ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=s390x&distri=opensuse… -- You are receiving this mail because: You are on the CC list for the bug.

1 0

[Bug 1227165] New: VUL-0: CVE-2024-24792: gomuks: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227165 Bug ID: 1227165 Summary: VUL-0: CVE-2024-24792: gomuks: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mcepl(a)suse.com Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1227158 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1227158 +++ Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1227170] New: VUL-0: CVE-2024-24792: neonmodem: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
by bugzilla_noreply＠suse.com 28 Jun '24

28 Jun '24

https://bugzilla.suse.com/show_bug.cgi?id=1227170 Bug ID: 1227170 Summary: VUL-0: CVE-2024-24792: neonmodem: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: jkowalczyk(a)suse.com Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1227158 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1227158 +++ Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.

1 1