Bug 1218446 (CVE-2023-7158) - VUL-0: CVE-2023-7158: micropython: heap-based buffer overflow in function slice_indices of the file objslice.c.
Summary: VUL-0: CVE-2023-7158: micropython: heap-based buffer overflow in function sli...
Status: NEW
Alias: CVE-2023-7158
Product: openSUSE Distribution
Classification: openSUSE
Component: Other (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/389587/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-29 09:10 UTC by SMASH SMASH
Modified: 2024-01-08 03:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-12-29 09:10:25 UTC 
A vulnerability was found in MicroPython up to 1.21.0. It has been classified as critical. Affected is the function slice_indices of the file objslice.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.22.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-249180.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7158
https://github.com/micropython/micropython/issues/13007

Patch:
https://github.com/micropython/micropython/pull/13039/commits/f397a3ec318f3ad05aa287764ae7cef32202380f
Comment 2 OBSbugzilla Bot 2024-01-08 03:35:00 UTC 
This is an autogenerated message for OBS integration:
This bug (1218446) was mentioned in
https://build.opensuse.org/request/show/1137463 Factory / micropython