July 2024 - openSUSE Bugs - openSUSE Mailing Lists

[Bug 1227167] New: VUL-0: CVE-2024-24792: keybase-client: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227167 Bug ID: 1227167 Summary: VUL-0: CVE-2024-24792: keybase-client: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: marix(a)marix.org Reporter: camila.matos(a)suse.com QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com, security-team(a)suse.de, smash_bz(a)suse.de Blocks: 1227158 Target Milestone: --- Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1227158 +++ Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1223398] New: VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1223398 Bug ID: 1223398 Summary: VUL-0: CVE-2024-22373: gdcm: out-of-bounds write in the JPEG2000Codec:DecodeByStreamsCommon functionality Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/403162/ OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Other Assignee: axel.braun(a)gmx.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: camila.matos(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- An out-of-bounds write vulnerability exists in the JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1935 -- You are receiving this mail because: You are on the CC list for the bug.

1 5

[Bug 1227979] New: VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 126.0.6478.182
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227979 Bug ID: 1227979 Summary: VUL-0: chromium,ungoogled-chromium: multiple vulnerabilities fixed in 126.0.6478.182 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: gmbr3(a)opensuse.org Reporter: rfrohl(a)suse.com QA Contact: qa-bugs(a)suse.de CC: Andreas.Stieger(a)gmx.de, m.szczepaniak.000(a)gmail.com Target Milestone: --- Found By: --- Blocker: --- The Stable channel has been updated to 126.0.6478.182/183 for Windows, Mac and 126.0.6478.182 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log. - High CVE-2024-6772: Inappropriate implementation in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-06-12 - High CVE-2024-6773: Type Confusion in V8. Reported by 2ourc3 | Salim Largo on 2024-06-17 - High CVE-2024-6774: Use after free in Screen Capture. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-13 - High CVE-2024-6775: Use after free in Media Stream. Reported by Anonymous on 2024-06-15 - High CVE-2024-6776: Use after free in Audio. Reported by lime(@limeSec_) and fmyy(@binary_fmyy) From TIANGONG Team of Legendsec at QI-ANXIN Group on 2024-06-12 - High CVE-2024-6777: Use after free in Navigation. Reported by Sven Dysthe (@svn-dys) on 2024-06-07 - High CVE-2024-6778: Race in DevTools. Reported by Allen Ding on 2024-05-16 - High CVE-2024-6779: Out of bounds memory access in V8. Reported by Seunghyun Lee (@0x10n) on 2024-07-06 https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-des… -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1227807] New: bash-completion: Zypper all auto-completion fails after "{}".
by bugzilla_noreply＠suse.com 23 Aug '24

23 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227807 Bug ID: 1227807 Summary: bash-completion: Zypper all auto-completion fails after "{}". Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs(a)suse.de Reporter: jakubby(a)protonmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Consider the following command: `sudo zypper install ninja gcc SDL2-devel libopenal{0,1}` After libopenal{0,1} auto completion fails: `sudo zypper install ninja gcc SDL2-devel libopenal{0,1} wx` If wx is placed before libopenal{0,1} auto completion doesn't fail: `sudo zypper install ninja gcc SDL2-devel wxWidgets-3_ libopenal{0,1}` -- You are receiving this mail because: You are on the CC list for the bug.

1 9

[Bug 1223260] New: SELinux denies pcp
by bugzilla_noreply＠suse.com 22 Aug '24

22 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1223260 Bug ID: 1223260 Summary: SELinux denies pcp Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team(a)suse.de Reporter: felix.niederwanger(a)suse.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 874416 --> https://bugzilla.suse.com/attachment.cgi?id=874416&action=edit ausearch -ts boot -m avc On MicroOS starting pmlogger with SELinux in enforcing mode fails with several SELinux related denials > Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger... > Apr 22 13:14:01 microos rc[2682]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.d9N3i7aLW/tmp: Permission denied > Apr 22 13:14:01 microos rc[2750]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.7vdZJLmGN/pmcheck.out: Permission denied > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'. > Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger. > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Scheduled restart job, restart counter is at 1. > Apr 22 13:14:01 microos systemd[1]: Stopped Performance Metrics Archive Logger. > Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger... > Apr 22 13:14:01 microos rc[2958]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.yWYJd9JBe/tmp: Permission denied > Apr 22 13:14:01 microos rc[2991]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.OcmNVcLdA/pmcheck.out: Permission denied > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE > Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'. > Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger. > ... I'm attaching the output of ausearch -ts boot -m avc, failures are coming from the rc program and related to tmp and pmcheck.out. -- You are receiving this mail because: You are on the CC list for the bug.

1 2

[Bug 1219527] New: abcde breaks on non-octal track numbers
by bugzilla_noreply＠suse.com 22 Aug '24

22 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1219527 Bug ID: 1219527 Summary: abcde breaks on non-octal track numbers Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: x86-64 OS: openSUSE Leap 15.5 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: geoff(a)cs.hmc.edu QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 872425 --> https://bugzilla.suse.com/attachment.cgi?id=872425&action=edit Patch to /usr/bin/abcde abcde pads track numbers with a leading zero but later does some bash arithmetic on the track number. That breaks for track numbers 8 and 9, because 09 isn't an octal number. Reproduce by inserting an 8+ track CD and running "abcde -T 1 8-8". The attached patch will correct the problem for any CD having 99 or fewer tracks. (As far as I know, 99 is the track limit for CDs, though I definitely could be wrong.) -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1226311] New: Removing arm-none-eabi-c++filt from binutils prevents me from compiling a project (lk2nd)
by bugzilla_noreply＠suse.com 21 Aug '24

21 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1226311 Bug ID: 1226311 Summary: Removing arm-none-eabi-c++filt from binutils prevents me from compiling a project (lk2nd) Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Development Assignee: screening-team-bugs(a)suse.de Reporter: kacper12455(a)tutanota.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Hello, I can't compile lk2nd: https://github.com/msm8916-mainline/lk2nd because it needs the mentioned binary which is removed in the binutils spec file. Error message: arm-none-eabi-objcopy -O binary build-lk2nd-msm8916/lk build-lk2nd-msm8916/lk.bin generating listing: build-lk2nd-msm8916/lk.lst /bin/sh: line 1: arm-none-eabi-c++filt: command not found make[1]: *** [make/build.mk:26: build-lk2nd-msm8916/lk.lst] Error 127 -- You are receiving this mail because: You are on the CC list for the bug.

1 1

[Bug 1216895] New: VUL-0: CVE-2023-47272: Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
by bugzilla_noreply＠suse.com 21 Aug '24

21 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1216895 Bug ID: 1216895 Summary: VUL-0: CVE-2023-47272: Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/384151/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: aj(a)ajaissle.de Reporter: smash_bz(a)suse.de QA Contact: security-team(a)suse.de CC: stoyan.manolov(a)suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-47272 -- You are receiving this mail because: You are on the CC list for the bug.

1 3

[Bug 1226043] New: kernel: EXT4-fs error (device dm-0): ext4_mark_recovery_complete:6245: comm mount: Orphan file not empty on read-only fs.
by bugzilla_noreply＠suse.com 21 Aug '24

21 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1226043 Bug ID: 1226043 Summary: kernel: EXT4-fs error (device dm-0): ext4_mark_recovery_complete:6245: comm mount: Orphan file not empty on read-only fs. Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: aarch64 OS: Linux Status: NEW Severity: Major Priority: P5 - None Component: Kernel:Filesystems Assignee: kernel-fs(a)suse.de Reporter: jonaski(a)opensuse.org QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- If an filesystem error occurs due to power outage, and it fixes the filesystem errors, it still get's stuck in rescue mode. `journcalctl -b` shows: May 16 10:01:31 edge.vendanor.com systemd[1]: Finished Cryptography Setup for rpi_rootfs. May 16 10:01:31 edge.vendanor.com systemd[1]: Found device /dev/disk/by-uuid/6d048af7-a4ba-4e50-8808-d686e13c286e. May 16 10:01:31 edge.vendanor.com systemd[1]: Reached target Local Encrypted Volumes. May 16 10:01:31 edge.vendanor.com systemd[1]: Reached target Initrd Root Device. May 16 10:01:31 edge.vendanor.com systemd[1]: Reached target System Initialization. May 16 10:01:31 edge.vendanor.com systemd[1]: Reached target Basic System. May 16 10:01:32 edge.vendanor.com systemd[1]: Finished dracut initqueue hook. May 16 10:01:32 edge.vendanor.com systemd[1]: Reached target Preparation for Remote File Systems. May 16 10:01:32 edge.vendanor.com systemd[1]: Reached target Remote Encrypted Volumes. May 16 10:01:32 edge.vendanor.com systemd[1]: Reached target Remote File Systems. May 16 10:01:32 edge.vendanor.com systemd[1]: dracut pre-mount hook was skipped because no trigger condition checks were met. May 16 10:01:32 edge.vendanor.com systemd[1]: Starting File System Check on /dev/disk/by-uuid/6d048af7-a4ba-4e50-8808-d686e13c286e... May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: e2fsck 1.47.0 (5-Feb-2023) May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: ROOT: recovering journal May 16 10:01:32 edge.vendanor.com systemd[1]: clevis-luks-askpass.service: Deactivated successfully. May 16 10:01:32 edge.vendanor.com systemd[1]: clevis-luks-askpass.service: Consumed 3.372s CPU time, 6.6M memory peak, 0B memory swap peak. May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: Clearing orphaned inode 18323 (uid=1001, gid=1001, mode=0100600, size=4194304) May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: Clearing orphaned inode 48587 (uid=1001, gid=1001, mode=040700, size=4096) May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: Truncating orphaned inode 130498 (uid=1000, gid=1000, mode=0100644, size=0) May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: Setting free blocks count to 263168 (was 263539) May 16 10:01:32 edge.vendanor.com systemd-fsck[799]: ROOT: clean, 65957/323840 files, 1043456/1306624 blocks May 16 10:01:32 edge.vendanor.com systemd[1]: Finished File System Check on /dev/disk/by-uuid/6d048af7-a4ba-4e50-8808-d686e13c286e. May 16 10:01:32 edge.vendanor.com systemd[1]: Mounting /sysroot... May 16 10:01:32 edge.vendanor.com kernel: EXT4-fs (dm-0): orphan cleanup on readonly fs May 16 10:01:32 edge.vendanor.com kernel: EXT4-fs error (device dm-0): ext4_orphan_get:1420: comm mount: bad orphan inode 18323 May 16 10:01:32 edge.vendanor.com kernel: ext4_test_bit(bit=2130, block=304) = 0 May 16 10:01:33 edge.vendanor.com kernel: EXT4-fs error (device dm-0): ext4_orphan_get:1420: comm mount: bad orphan inode 48587 May 16 10:01:33 edge.vendanor.com kernel: ext4_test_bit(bit=10, block=308) = 0 May 16 10:01:33 edge.vendanor.com kernel: EXT4-fs (dm-0): 1 truncate cleaned up May 16 10:01:33 edge.vendanor.com kernel: EXT4-fs (dm-0): recovery complete May 16 10:01:33 edge.vendanor.com kernel: EXT4-fs error (device dm-0): ext4_mark_recovery_complete:6245: comm mount: Orphan file not empty on read-only fs. May 16 10:01:33 edge.vendanor.com kernel: EXT4-fs (dm-0): mount failed May 16 10:01:33 edge.vendanor.com mount[822]: mount: /sysroot: mount system call failed: Structure needs cleaning. May 16 10:01:33 edge.vendanor.com mount[822]: dmesg(1) may have more information after failed mount system call. May 16 10:01:33 edge.vendanor.com systemd[1]: sysroot.mount: Mount process exited, code=exited, status=32/n/a May 16 10:01:33 edge.vendanor.com systemd[1]: sysroot.mount: Failed with result 'exit-code'. May 16 10:01:33 edge.vendanor.com systemd[1]: Failed to mount /sysroot. May 16 10:01:33 edge.vendanor.com systemd[1]: Dependency failed for Initrd Root File System. May 16 10:01:33 edge.vendanor.com systemd[1]: Dependency failed for Mountpoints Configured in the Real Root. May 16 10:01:33 edge.vendanor.com systemd[1]: initrd-parse-etc.service: Job initrd-parse-etc.service/start failed with result 'dependency'. May 16 10:01:33 edge.vendanor.com systemd[1]: initrd-parse-etc.service: Triggering OnFailure= dependencies. May 16 10:01:33 edge.vendanor.com systemd[1]: initrd-root-fs.target: Job initrd-root-fs.target/start failed with result 'dependency'. May 16 10:01:33 edge.vendanor.com systemd[1]: initrd-root-fs.target: Triggering OnFailure= dependencies. May 16 10:01:33 edge.vendanor.com systemd[1]: Stopped target Basic System. May 16 10:01:33 edge.vendanor.com systemd[1]: Reached target Initrd File Systems. May 16 10:01:33 edge.vendanor.com systemd[1]: Stopped target System Initialization. May 16 10:01:33 edge.vendanor.com systemd[1]: dracut-initqueue.service: Deactivated successfully. May 16 10:01:33 edge.vendanor.com systemd[1]: Stopped dracut initqueue hook. May 16 10:01:33 edge.vendanor.com systemd[1]: dracut-pre-udev.service: Deactivated successfully. May 16 10:01:33 edge.vendanor.com systemd[1]: Stopped dracut pre-udev hook. May 16 10:01:33 edge.vendanor.com systemd[1]: dracut-cmdline.service: Deactivated successfully. May 16 10:01:33 edge.vendanor.com systemd[1]: Stopped dracut cmdline hook. May 16 10:01:33 edge.vendanor.com systemd[1]: dracut-cmdline-ask.service: Deactivated successfully. May 16 10:01:33 edge.vendanor.com systemd[1]: Stopped dracut ask for additional cmdline parameters. May 16 10:01:33 edge.vendanor.com systemd[1]: Started Emergency Shell. May 16 10:01:33 edge.vendanor.com systemd[1]: Reached target Emergency Mode. May 16 10:01:33 edge.vendanor.com systemd[1]: Startup finished in 1.878s (kernel) + 0 (initrd) + 13.097s (userspace) = 14.976s. May 16 10:01:33 edge.vendanor.com systemd[1]: Received SIGRTMIN+21 from PID 414 (plymouthd). May 16 10:01:33 edge.vendanor.com systemd[1]: Received SIGRTMIN+21 from PID 414 (plymouthd). This is on Raspberry Pi CM4, filesystem is setup like this: /etc/fstab: /dev/mapper/rpi_rootfs / ext4 defaults,noatime 0 1 /dev/mmcblk0p2 /boot ext4 defaults,noatime 0 0 /dev/mmcblk0p1 /boot/efi vfat utf8 0 2 /etc/crypttab: rpi_rootfs UUID=4fb99d03-eec8-4a6c-8d46-e14a6afd975a none x-initrd.attach GRUB_CMDLINE_LINUX_DEFAULT from /etc/default/grub: GRUB_CMDLINE_LINUX_DEFAULT="systemd.show_status=0 vt.global_cursor_default=0 plymouth.ignore-serial-consoles video=HDMI-A-1:1920x1080M@60,rotate=90 fsck.repair=yes cgroup_enable=memory swapaccount=1 net.ifnames=0 rd.neednet=1 ip=192.168.250.20::192.168.250.200:255.255.255.0::eth0:off quiet splash" -- You are receiving this mail because: You are on the CC list for the bug.

1 4

[Bug 1227737] New: Emacs bring some unneeded packages
by bugzilla_noreply＠suse.com 21 Aug '24

21 Aug '24

https://bugzilla.suse.com/show_bug.cgi?id=1227737 Bug ID: 1227737 Summary: Emacs bring some unneeded packages Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs(a)suse.de Reporter: dev.dorrejo(a)gmail.com QA Contact: qa-bugs(a)suse.de Target Milestone: --- Found By: --- Blocker: --- Today installing emacs, found that it brings system-user-games zypper install emacs Loading repository data... Reading installed packages... Resolving package dependencies... Problem: 1: the to be installed emacs-29.4-3.1.x86_64 requires 'group(games)', but this requirement cannot be provided not installable providers: system-user-games-20170617-25.4.noarch[repo-oss] Solution 1: do not install emacs-29.4-3.1.x86_64 Solution 2: remove lock to allow installation of system-user-games-20170617-25.4.noarch[repo-oss] Solution 3: break emacs-29.4-3.1.x86_64 by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 3 -- You are receiving this mail because: You are on the CC list for the bug.

1 8