Bugzilla – Bug 1219821
VUL-0: CVE-2024-25445: hugin: assertion failure in HuginBase::PTools::Transform::transform
Last modified: 2024-02-14 17:05:03 UTC
Improper handling of values in HuginBase::PTools::Transform::transform of Hugin 2022.0.0 leads to an assertion failure. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25445 https://bugs.launchpad.net/hugin/+bug/2025038 https://www.cve.org/CVERecord?id=CVE-2024-25445 https://bugzilla.redhat.com/show_bug.cgi?id=2263555
Not sure about correct reproducing command, I get however: 2022.0.0 $ valgrind -q pto_merge poc-file.txt poc-file.txt Written output to poc-file_merge.pto $ 2023.0.0 :/219821 # pto_merge poc-file.txt poc-file.txt file "poc-file.txt" seems to be an image file and not a PTO file. :/219821 # Upstream bug suggests the issue was fixed in Hugin 2023.0beta1.
This is an autogenerated message for OBS integration: This bug (1219821) was mentioned in https://build.opensuse.org/request/show/1146413 Backports:SLE-15-SP5 / hugin
Submitted a version update (-> 2023.0.0) for b15sp6 and b15sp5. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1219821) was mentioned in https://build.opensuse.org/request/show/1146570 Factory / hugin https://build.opensuse.org/request/show/1146575 Backports:SLE-15-SP6 / hugin
openSUSE-SU-2024:0047-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1219819,1219820,1219821,1219822 CVE References: CVE-2024-25442,CVE-2024-25443,CVE-2024-25445,CVE-2024-25446 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): hugin-2023.0.0-bp155.2.3.1