[Bug 1232608] New: VUL-0: CVE-2024-50602: audacity: libexpat: DoS via XML_ResumeParser
https://bugzilla.suse.com/show_bug.cgi?id=1232608 Bug ID: 1232608 Summary: VUL-0: CVE-2024-50602: audacity: libexpat: DoS via XML_ResumeParser Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.5 Hardware: Other URL: https://smash.suse.de/issue/425799/ OS: Other Status: NEW Whiteboard: CVSSv3.1:SUSE:CVE-2024-50602:5.5:(AV:L/AC:L/PR:N/UI:R/ S:U/C:N/I:N/A:H) Severity: Normal Priority: P5 - None Component: Security Assignee: davejplater@gmail.com Reporter: andrea.mattiazzo@suse.com QA Contact: security-team@suse.de Blocks: 1232579 Target Milestone: --- Found By: --- Blocker: --- An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-50602 https://www.cve.org/CVERecord?id=CVE-2024-50602 https://github.com/libexpat/libexpat/pull/915 https://bugzilla.redhat.com/show_bug.cgi?id=2321987 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232608 https://bugzilla.suse.com/show_bug.cgi?id=1232608#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- The packages below are or contain embedded packages that are vulnerable to CVE-2024-50602. Tracking as affected: - openSUSE:Factory/audacity contains embedded package: libexpat (R_2_1_0-26-gb3a467e) Please consider version bumping or patching the affected dependencies. The listed codestreams are affected. All other codestreams should not be affected, but feel free to double-check. This is a auto-generated message, please reach out to the reporter directly if you think this is incorrect. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232608 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232608 https://bugzilla.suse.com/show_bug.cgi?id=1232608#c2 Dave Plater <davejplater@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kv@kott.no-ip.biz --- Comment #2 from Dave Plater <davejplater@gmail.com> --- @kill_it Konstantin this CVE refers to the VST addon, there's no mention of xpat in the audacity sources. find . -iname "*xpat*" ./cmake-proxies/cmake-modules/dependencies/expat.cmake ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat.h ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat_external.h Can you fix it or should we remove it from the build? Either an updated xpat without the vulnerability or a patch should do. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232608 https://bugzilla.suse.com/show_bug.cgi?id=1232608#c3 --- Comment #3 from Konstantin Voinov <kv@kott.no-ip.biz> --- (In reply to Dave Plater from comment #2)
@kill_it Konstantin this CVE refers to the VST addon, there's no mention of xpat in the audacity sources. find . -iname "*xpat*" ./cmake-proxies/cmake-modules/dependencies/expat.cmake ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat.h ./vst3sdk-3.7.12_build_20/vstgui4/vstgui/uidescription/expat/expat_external.h
Can you fix it or should we remove it from the build? Either an updated xpat without the vulnerability or a patch should do.
We need to patch this vstgui/uidescription/expat/ files manually, because the upstream patch won't apply nicely, is it Ok? Or we can disable VST3 plugins for now as it's GUI is not really working. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1232608 https://bugzilla.suse.com/show_bug.cgi?id=1232608#c4 --- Comment #4 from Konstantin Voinov <kv@kott.no-ip.biz> --- https://build.opensuse.org/requests/1219996 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com