Bug 1220096 (CVE-2024-26134)

Summary: VUL-0: CVE-2024-26134: python-cbor2: potential crash when hashing a CBORTag
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Dirk Mueller <dmueller>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394540/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-20 08:57:09 UTC 
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26134
https://www.cve.org/CVERecord?id=CVE-2024-26134
https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
https://github.com/agronholm/cbor2/pull/204
https://github.com/agronholm/cbor2/releases/tag/5.6.2
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
https://bugzilla.redhat.com/show_bug.cgi?id=2265034
Comment 1 Carlos López 2024-02-20 09:06:27 UTC 
(In reply to SMASH SMASH from comment #0)
> Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service (...)

We have 5.5.1 in openSUSE:Backports:SLE-15-SP6 and openSUSE:Factory, but it seems to me that 5.5.1 is the last version to not be affected.