Bugzilla – Bug 1219819
VUL-0: CVE-2024-25442: hugin: heap buffer overflow in HuginBase::PanoramaMemento::loadPTScript
Last modified: 2024-02-14 17:04:59 UTC
An issue in the HuginBase::PanoramaMemento::loadPTScript function of Hugin v2022.0.0 allows attackers to cause a heap buffer overflow via parsing a crafted image. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25442 https://www.cve.org/CVERecord?id=CVE-2024-25442 https://bugs.launchpad.net/hugin/+bug/2025032 https://bugzilla.redhat.com/show_bug.cgi?id=2263555
Not sure about correct reproducing command, I get however: 2022.0.0 :/219819 # pto_merge poc-file.txt poc-file.txt Segmentation fault (core dumped) :/219819 # 2023.0.0 :/219819 # pto_merge poc-file.txt poc-file.txt error while parsing panos tool script: poc-file.txt :/219819 # Upstream bug suggests the issue was fixed in Hugin 2023.0beta1.
This is an autogenerated message for OBS integration: This bug (1219819) was mentioned in https://build.opensuse.org/request/show/1146413 Backports:SLE-15-SP5 / hugin
Submitted a version update (-> 2023.0.0) for b15sp6 and b15sp5. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1219819) was mentioned in https://build.opensuse.org/request/show/1146570 Factory / hugin https://build.opensuse.org/request/show/1146575 Backports:SLE-15-SP6 / hugin
openSUSE-SU-2024:0047-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1219819,1219820,1219821,1219822 CVE References: CVE-2024-25442,CVE-2024-25443,CVE-2024-25445,CVE-2024-25446 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): hugin-2023.0.0-bp155.2.3.1