|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-29073: anki: arbitrary file read through the Latex handler | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | camila.matos |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/414902/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-07-22 17:06:57 UTC
I think I can't really help with this. I only touched the Anki package once, in 2019. Our versio is 2.1.13 from May 2019. And the current upstream version is 24.06.3 and even though the version schema changed we are A LOT of versions behind. I believe the reason for this is that a long time ago Anki changed something which made it super annoying to package it. I don't remember the details anymore but remember that I was quite annoyed at something and after my once contribution decided not to contribute anymore. I believe more distro packagers felt that way since we can see that several other distros are also quite behind in their packaging of Anki. Fedora and Debian got stuck at 2.1.15 as well. Sadly I have to recommend that people use the flatpak version of it. As for fixing these bugs I'm not sure who could do it or whether it's possible to remove Anki from 15.6 repos.. Luckily it's only in `Education` and not in Factory anymore. |