Bug 1221053 (CVE-2024-25817)

Summary: VUL-0: CVE-2024-25817: eza: potential heap overflow in AArch64
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, mvetter
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/396421/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-06 11:02:18 UTC 
Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25817
https://www.cubeyond.net/blog/my-cves/eza-cve-report
https://www.cve.org/CVERecord?id=CVE-2024-25817
https://github.com/advisories/GHSA-3qx3-6hxr-j2ch
https://bugzilla.redhat.com/show_bug.cgi?id=2268034
Comment 1 Carlos López 2024-03-06 11:03:14 UTC 
Relevant for openSUSE:Backports:SLE-15-SP6/eza. Factory is already on a fixed version.
Comment 2 Michael Vetter 2024-03-06 12:38:23 UTC 
SR#1155551 to add bugzilla reference to changelog.
SR#1155552 to push newest eza to openSUSE:Backports:SLE-15-SP6
Comment 3 OBSbugzilla Bot 2024-03-06 13:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1221053) was mentioned in
https://build.opensuse.org/request/show/1155551 Factory / eza
Comment 4 Michael Vetter 2024-03-08 06:06:38 UTC 
All SRs accepted.
Comment 5 Carlos López 2024-03-08 11:52:39 UTC 
Done, closing.