[Bug 1227158] New: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Bug ID: 1227158 Summary: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412299/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: brunopitrus@hotmail.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Parsing a corrupt or malicious image with invalid color indices can cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 https://go.dev/cl/588115 https://go.dev/issue/67624 https://pkg.go.dev/vuln/GO-2024-2937 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|brunopitrus@hotmail.com |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: CVE-2024-24792: |VUL-0: CVE-2024-24792: |app-builder: |TRACKERBUG: |golang.org/x/image/tiff: |golang.org/x/image/tiff: |parsing of a corrupt or |parsing of a corrupt or |malicious image with |malicious image with |invalid color indices can |invalid color indices can |cause a panic |cause a panic -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227164 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227165 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227166 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227167 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227168 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227169 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Camila Camargo de Matos <camila.matos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |1227170 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 https://bugzilla.suse.com/show_bug.cgi?id=1227158#c3 Bruno Pitrus <brunopitrus@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |brunopitrus@hotmail.com Resolution|--- |WONTFIX --- Comment #3 from Bruno Pitrus <brunopitrus@hotmail.com> --- This is a build tool mainly intended to be used to be used on OBS, and nobody cares if a package maintainer denies service to themself. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 https://bugzilla.suse.com/show_bug.cgi?id=1227158#c4 Bruno Pitrus <brunopitrus@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |--- Status|RESOLVED |REOPENED --- Comment #4 from Bruno Pitrus <brunopitrus@hotmail.com> --- Sorry, closed wrong bug. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Bug 1227158 depends on bug 1227164, which changed state. Bug 1227164 Summary: VUL-0: CVE-2024-24792: app-builder: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic https://bugzilla.suse.com/show_bug.cgi?id=1227164 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Bruno Pitrus <brunopitrus@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|brunopitrus@hotmail.com | -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Matthias Bach <marix@marix.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |marix@marix.org Status|REOPENED |CONFIRMED -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 https://bugzilla.suse.com/show_bug.cgi?id=1227158#c5 --- Comment #5 from Matthias Bach <marix@marix.org> --- Fix is on its way for Tumblweed. What's kind of block me for Leap is that there's still a previous maintenance request [1] in the pipeline and I am somewhat unsure about all the things I will break if I now trigger a second one before that is shipped. [1]: https://build.opensuse.org/project/show/openSUSE:Maintenance:18435 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1227158 Bug 1227158 depends on bug 1227168, which changed state. Bug 1227168 Summary: VUL-0: CVE-2024-24792: kitty: golang.org/x/image/tiff: parsing of a corrupt or malicious image with invalid color indices can cause a panic https://bugzilla.suse.com/show_bug.cgi?id=1227168 What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com