Bug 1200190 (CVE-2022-32293)

Summary:	VUL-0: CVE-2022-32293: connman: Double-free/Use-after-free in WISPR
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Daniel Wagner <daniel.wagner>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	rfrohl, thomas.leroy
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Comment 2 Marcus Meissner 2022-06-06 10:23:23 UTC

Mitre has assigned CVE-2022-32293.

Comment 3 Thomas Leroy 2022-06-08 12:54:35 UTC

The following codestreams will require a fix after the embargo has been lifted:
- openSUSE:Backports:SLE-15-SP3:Update
- openSUSE:Backports:SLE-15-SP4:Update
- openSUSE:Factory

Comment 4 Daniel Wagner 2022-08-01 08:17:04 UTC

Fix posted upstream

https://lore.kernel.org/connman/20220801080043.4861-3-wagi@monom.org/
https://lore.kernel.org/connman/20220801080043.4861-1-wagi@monom.org/

Comment 6 OBSbugzilla Bot 2022-08-01 16:40:04 UTC

This is an autogenerated message for OBS integration:
This bug (1200190) was mentioned in
https://build.opensuse.org/request/show/992043 Backports:SLE-15-SP3 / connman
https://build.opensuse.org/request/show/992048 Backports:SLE-15-SP4 / connman

Comment 7 Swamp Workflow Management 2022-08-02 22:15:33 UTC

openSUSE-SU-2022:10076-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1200189,1200190
CVE References: CVE-2022-32292,CVE-2022-32293
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    connman-1.41-bp154.2.3.1

Comment 8 Marcus Meissner 2022-08-03 07:35:08 UTC

ask mitre to publish the CVE.

factory submission missing perhapsd?

Comment 9 Daniel Wagner 2022-08-04 07:30:11 UTC

I've updated Factory as well:

https://build.opensuse.org/package/view_file/openSUSE:Factory/connman/connman.changes?expand=1

In fact it got merged on the very same day of the public release.

Comment 10 Marcus Meissner 2022-08-04 07:33:50 UTC

weird, verified bsc is mentioned in changes in Factory.

-> done

Comment 11 Swamp Workflow Management 2022-09-30 19:19:17 UTC

openSUSE-SU-2022:10134-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1200189,1200190
CVE References: CVE-2022-32292,CVE-2022-32293
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    connman-1.41-bp153.2.6.1