Bug 1218754 (CVE-2023-52339)

Summary:	VUL-0: CVE-2023-52339: In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can occur when reading or writing. It may result in buffer overflows.
Product:	[openSUSE] openSUSE Distribution	Reporter:	SMASH SMASH <smash_bz>
Component:	Security	Assignee:	Stoyan Manolov <stoyan.manolov>
Status:	RESOLVED DUPLICATE	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	dmueller, stoyan.manolov
Version:	Leap 15.6
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/390983/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-01-12 08:02:39 UTC

In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can occur when reading or writing. It may result in buffer overflows.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52339
https://www.cve.org/CVERecord?id=CVE-2023-52339
https://github.com/Matroska-Org/libebml/blob/v1.x/NEWS.md
https://github.com/Matroska-Org/libebml/compare/release-1.4.4...release-1.4.5
https://github.com/Matroska-Org/libebml/issues/147
https://github.com/Matroska-Org/libebml/pull/148

Comment 1 Stoyan Manolov 2024-01-12 08:04:35 UTC

OpenSUSE:Factory is already at version 1.4.5. 
OpenSUSE:Backports are affected at version 1.4.4.

Comment 2 Dirk Mueller 2024-01-12 10:02:54 UTC

this is a duplicate of bsc#1218432

Comment 4 Andrea Mattiazzo 2024-02-16 11:24:41 UTC

*** Bug 1219729 has been marked as a duplicate of this bug. ***