Bug 2256177 (CVE-2023-7152)

Summary: CVE-2023-7152 micropython: use after free vulnerability
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2256178    
Bug Blocks:    

Description Avinash Hanwate 2023-12-29 10:46:15 UTC 
A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function poll_set_add_fd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The patch is identified as 8b24aa36ba978eafc6114b6798b47b7bfecdca26. It is recommended to apply a patch to fix this issue. VDB-249158 is the identifier assigned to this vulnerability.

https://github.com/jimmo/micropython/commit/8b24aa36ba978eafc6114b6798b47b7bfecdca26
https://github.com/micropython/micropython/issues/12887
https://vuldb.com/?ctiid.249158
https://vuldb.com/?id.249158
Comment 1 Avinash Hanwate 2023-12-29 10:46:33 UTC 
Created micropython tracking bugs for this issue:

Affects: fedora-all [bug 2256178]
Comment 2 Fedora Update System 2024-04-04 00:45:52 UTC 
FEDORA-2024-34aa24af35 (micropython-1.22.2-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 3 Fedora Update System 2024-04-04 00:55:18 UTC 
FEDORA-2024-51e55a7065 (micropython-1.22.2-1.fc38) has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.