[Bug 1220096] New: VUL-0: CVE-2024-26134: python-cbor2: potential crash when hashing a CBORTag
https://bugzilla.suse.com/show_bug.cgi?id=1220096 Bug ID: 1220096 Summary: VUL-0: CVE-2024-26134: python-cbor2: potential crash when hashing a CBORTag Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/394540/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: dmueller@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: carlos.lopez@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26134 https://www.cve.org/CVERecord?id=CVE-2024-26134 https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618... https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d02... https://github.com/agronholm/cbor2/pull/204 https://github.com/agronholm/cbor2/releases/tag/5.6.2 https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m https://bugzilla.redhat.com/show_bug.cgi?id=2265034 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1220096 https://bugzilla.suse.com/show_bug.cgi?id=1220096#c1 --- Comment #1 from Carlos López <carlos.lopez@suse.com> --- (In reply to SMASH SMASH from comment #0)
Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service (...)
We have 5.5.1 in openSUSE:Backports:SLE-15-SP6 and openSUSE:Factory, but it seems to me that 5.5.1 is the last version to not be affected. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1220096 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1220096 https://bugzilla.suse.com/show_bug.cgi?id=1220096#c2 Dirk Mueller <dmueller@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Assignee|dmueller@suse.com |security-team@suse.de Resolution|--- |FIXED --- Comment #2 from Dirk Mueller <dmueller@suse.com> --- (In reply to Carlos López from comment #1)
We have 5.5.1 in openSUSE:Backports:SLE-15-SP6 and openSUSE:Factory, but it seems to me that 5.5.1 is the last version to not be affected.
I can agree with that statement. it doesn't look like 5.5.1 is affected. so overall only Factory was ever affected which is however already fixed. I added the CVE reference to the changes file now. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com