Bug 1220666 (CVE-2024-22871)

Summary: VUL-0: CVE-2024-22871: clojure: denial of service (DoS) via the clojure.core$partial$fn__5920 function.
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: stoyan.manolov
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395778/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-29 11:52:50 UTC 
An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22871
https://www.cve.org/CVERecord?id=CVE-2024-22871
https://hackmd.io/%40fe1w0/rymmJGida
https://bugzilla.redhat.com/show_bug.cgi?id=2266785
Comment 1 Michael Vetter 2024-02-29 12:00:04 UTC 
> An issue in Clojure versions 1.20

1.20? I don't think that version exists yet.
Comment 2 Michael Vetter 2024-03-08 05:44:23 UTC 
The nvd website states "1.20 to 1.12.0-alpha5" the original blogpost however mentions "Under org.clojure:clojur (1.2.0 - 1.12.0-alpha5)" which makes more sense.

https://github.com/advisories/GHSA-vr64-r9qj-h27f has more info about this bug.

It was edited by an upstream clojure developer here: https://github.com/github/advisory-database/pull/3891/files
And according to him the vuln is not only until alpha5 but it is until alpha8 (latest alpha) and git master.

The upstream bugreport https://clojure.atlassian.net/browse/CLJ-2839 contains patches to fix it.

In devel:languages:clojure/clojure we don't build clojure ourselves but ship their released jars/scripts.

It is planned by upstream to create a new release once the fixes are ready/accepted.
Comment 3 Michael Vetter 2024-03-10 06:55:13 UTC 
SR#1156680 to Factory
SR#1156681 to openSUSE:Backports:SLE-15-SP6/clojure

@security just a reminder that the original report is wrong and closure 1.2.0 until clojure-1.12.0-alpha9 or clojure-1.11.2 are actually affected.
Comment 4 OBSbugzilla Bot 2024-03-10 07:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1220666) was mentioned in
https://build.opensuse.org/request/show/1156680 Factory / clojure
https://build.opensuse.org/request/show/1156681 Backports:SLE-15-SP6 / clojure
Comment 5 Michael Vetter 2024-03-12 05:33:47 UTC 
All SRs accepted.