[Bug 1233852] New: VUL-0: CVE-2024-21538: python-furo,python-jupyter-ydoc,python-ipympl,python-nbdime,python-pytest-html,python-panel: cross-spawn: regular expression denial of service
https://bugzilla.suse.com/show_bug.cgi?id=1233852 Bug ID: 1233852 Summary: VUL-0: CVE-2024-21538: python-furo,python-jupyter-ydoc,python-ipympl,python-n bdime,python-pytest-html,python-panel: cross-spawn: regular expression denial of service Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/427356/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2024-21538:5.5:(AV:L/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H) Severity: Normal Priority: P5 - None Component: Security Assignee: daniel.garcia@suse.com Reporter: andrea.mattiazzo@suse.com QA Contact: security-team@suse.de Blocks: 1233843 Target Milestone: --- Found By: --- Blocker: --- Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21538 https://www.cve.org/CVERecord?id=CVE-2024-21538 https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806... https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d... https://github.com/moxystudio/node-cross-spawn/pull/160 https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349 https://bugzilla.redhat.com/show_bug.cgi?id=2324550 https://github.com/CVEProject/cvelistV5/blob/main//cves/2024/21xxx/CVE-2024-... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233852 https://bugzilla.suse.com/show_bug.cgi?id=1233852#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- The packages below are or contain embedded packages that are vulnerable to CVE-2024-21538: - openSUSE:Factory/python-furo contains embedded package: cross-spawn (7.0.3) - openSUSE:Factory/python-ipympl contains embedded package: cross-spawn (6.0.5) - openSUSE:Factory/python-ipympl contains embedded package: cross-spawn (7.0.3) - openSUSE:Factory/python-jupyter-ydoc contains embedded package: cross-spawn (7.0.3) - openSUSE:Factory/python-nbdime contains embedded package: cross-spawn (6.0.5) - openSUSE:Factory/python-nbdime contains embedded package: cross-spawn (7.0.3) - openSUSE:Factory/python-panel contains embedded package: cross-spawn (7.0.3) - openSUSE:Factory/python-pytest-html contains embedded package: cross-spawn (7.0.3) Please consider version bumping or patching the affected dependencies. The listed codestreams are affected. All other codestreams should not be affected, but feel free to double-check. This is a auto-generated message, please reach out to the reporter directly if you think this is incorrect. No bug-owner found for these packages, if the assignation is not correct feel free to re-assign. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233852 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233852 Daniel Garcia <daniel.garcia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|daniel.garcia@suse.com |python-maintainers@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233852 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|python-maintainers@suse.com |nico.krapp@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233852 https://bugzilla.suse.com/show_bug.cgi?id=1233852#c2 Nico Krapp <nico.krapp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Nico Krapp <nico.krapp@suse.com> --- I checked and all of these packages are not actually affected as cross-spawn is a dev dependency in all of them. Still, I opened requests to update the node modules for the listed packages that were easily updatable: python-furo: https://build.opensuse.org/requests/1228514 python-jupyter-ydoc: https://build.opensuse.org/requests/1228560 python-ipympl: this one didn't build with the updated modules, but it is still not affected python-nbdime: https://build.opensuse.org/requests/1228565 python-pytest-html: https://build.opensuse.org/requests/1228563 python-panel: already got updated -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233852 https://bugzilla.suse.com/show_bug.cgi?id=1233852#c3 Nico Krapp <nico.krapp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|nico.krapp@suse.com |security-team@suse.de --- Comment #3 from Nico Krapp <nico.krapp@suse.com> --- All requests have been accepted into Factory, I think we can close this -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com