Bug 1221053 (CVE-2024-25817) - VUL-0: CVE-2024-25817: eza: potential heap overflow in AArch64
Summary: VUL-0: CVE-2024-25817: eza: potential heap overflow in AArch64
Status: RESOLVED FIXED
Alias: CVE-2024-25817
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/396421/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-06 11:02 UTC by SMASH SMASH
Modified: 2024-03-08 11:52 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-06 11:02:18 UTC 
Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25817
https://www.cubeyond.net/blog/my-cves/eza-cve-report
https://www.cve.org/CVERecord?id=CVE-2024-25817
https://github.com/advisories/GHSA-3qx3-6hxr-j2ch
https://bugzilla.redhat.com/show_bug.cgi?id=2268034
Comment 1 Carlos López 2024-03-06 11:03:14 UTC 
Relevant for openSUSE:Backports:SLE-15-SP6/eza. Factory is already on a fixed version.
Comment 2 Michael Vetter 2024-03-06 12:38:23 UTC 
SR#1155551 to add bugzilla reference to changelog.
SR#1155552 to push newest eza to openSUSE:Backports:SLE-15-SP6
Comment 3 OBSbugzilla Bot 2024-03-06 13:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1221053) was mentioned in
https://build.opensuse.org/request/show/1155551 Factory / eza
Comment 4 Michael Vetter 2024-03-08 06:06:38 UTC 
All SRs accepted.
Comment 5 Carlos López 2024-03-08 11:52:39 UTC 
Done, closing.