Bug 1214111 (CVE-2023-3894)

Summary: VUL-0: CVE-2023-3894: jackson-dataformats-text: DoS during toml deserialization
Product: [openSUSE] openSUSE Tumbleweed Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Gus Kenion <gus.kenion>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: fstrba
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374699/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-09 10:05:59 UTC 
CVE-2023-3894

Those using jackson-dataformats-text to parse TOML data may be vulnerable to
Denial of Service attacks (DOS). If the parser is running on user supplied
input, an attacker may supply content that causes the parser to crash by
stackoverflow. This effect may support a denial of service attack.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3894
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083
https://www.cve.org/CVERecord?id=CVE-2023-3894
https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x
https://github.com/FasterXML/jackson-dataformats-text/pull/398
Comment 1 Fridrich Strba 2024-03-06 15:13:23 UTC 
Gus, please, look at this and upgrade also the related packages so that we are on the same minor version 2.16.x.
Comment 2 Gus Kenion 2024-03-08 14:32:15 UTC 
Submitted 2.16.1 updates of the following jackson packages to Java:packages:
jackson-annotations
jackson-bom
jackson-core
jackson-databind
jackson-dataformats-text
jackson-dataformats-binary
jackson-dataformat-xml
jackson-datatypes-collections
jackson-jaxrs-providers
jackson-modules-base
jackson-modules-java8
jackson-parent
Comment 3 OBSbugzilla Bot 2024-03-10 23:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1214111) was mentioned in
https://build.opensuse.org/request/show/1156784 Factory / jackson-dataformats-text
Comment 4 Gus Kenion 2024-03-25 08:13:19 UTC 
Updated versions of affected packages are available to install on Tumbleweed.