Bugzilla – Bug 1219822
VUL-0: CVE-2024-25446: hugin: heap buffer overflow in HuginBase::PTools::setDestImage
Last modified: 2024-02-14 17:05:06 UTC
An issue in the HuginBase::PTools::setDestImage function of Hugin v2022.0.0 allows attackers to cause a heap buffer overflow via parsing a crafted image. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25446 https://www.cve.org/CVERecord?id=CVE-2024-25446 https://bugs.launchpad.net/hugin/+bug/2025037 https://bugzilla.redhat.com/show_bug.cgi?id=2263555
Not sure about correct reproducing command, but I get: 2022.0.0 :/219822 # pto_merge poc-file.txt poc-file.txt ERROR: 13:26:12.202964 (/home/abuild/rpmbuild/BUILD/hugin-2022.0.0/src/hugin_base/panotools/PanoToolsInterface.cpp:357) setDestImage(): unsupported projection ERROR: 13:26:12.203301 (/home/abuild/rpmbuild/BUILD/hugin-2022.0.0/src/hugin_base/panotools/PanoToolsInterface.cpp:357) setDestImage(): unsupported projection Segmentation fault (core dumped) :/219822 # 2023.0.0 :/219822 # pto_merge poc-file.txt poc-file.txt file "poc-file.txt" seems to be an image file and not a PTO file. :/219822 # Upstream bug suggests the issue was fixed in Hugin 2023.0beta1.
This is an autogenerated message for OBS integration: This bug (1219822) was mentioned in https://build.opensuse.org/request/show/1146413 Backports:SLE-15-SP5 / hugin
Submitted a version update (-> 2023.0.0) for b15sp6 and b15sp5. I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1219822) was mentioned in https://build.opensuse.org/request/show/1146570 Factory / hugin https://build.opensuse.org/request/show/1146575 Backports:SLE-15-SP6 / hugin
openSUSE-SU-2024:0047-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1219819,1219820,1219821,1219822 CVE References: CVE-2024-25442,CVE-2024-25443,CVE-2024-25445,CVE-2024-25446 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): hugin-2023.0.0-bp155.2.3.1