Bugzilla – Bug 1220096
VUL-0: CVE-2024-26134: python-cbor2: potential crash when hashing a CBORTag
Last modified: 2024-02-20 09:15:02 UTC
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26134 https://www.cve.org/CVERecord?id=CVE-2024-26134 https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df https://github.com/agronholm/cbor2/pull/204 https://github.com/agronholm/cbor2/releases/tag/5.6.2 https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m https://bugzilla.redhat.com/show_bug.cgi?id=2265034
(In reply to SMASH SMASH from comment #0) > Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service (...) We have 5.5.1 in openSUSE:Backports:SLE-15-SP6 and openSUSE:Factory, but it seems to me that 5.5.1 is the last version to not be affected.