Bug 2453358

Summary: CVE-2024-14030 perl-Sereal-Decoder: buffer overwrite flaw in the Zstandard library (CVE-2019-11922) [epel-all]
Product: [Fedora] Fedora EPEL Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: perl-Sereal-DecoderAssignee: Paul Howarth <paul>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: epel10CC: denis, jplesnik, mspacek, paul, perl-devel, ppisar
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["ef6d75c6-53fe-47d2-b910-2c6da8ef212a"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-04-01 09:58:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2453333    

Description Guilherme de Almeida Suckevicz 2026-03-31 14:56:45 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Paul Howarth 2026-04-01 09:58:48 UTC 
This issue affects perl-Sereal-Decoder 4.x versions prior to version 4.010 (see Bug #2453333).

EPEL-8 has version 4.018
EPEL-9 has version 4.018
EPEL-10.* has version 5.004

Hence, no current EPEL release is affected by this issue.
Comment 2 Michal Josef Spacek 2026-04-01 10:45:45 UTC 
We are unbundling the Zstandard library (and other) in Fedora and EPEL.

So, this kind of reports about issue in bundling is a bit weird.
Comment 3 Paul Howarth 2026-04-01 12:56:07 UTC 
(In reply to Michal Josef Spacek from comment #2)
> We are unbundling the Zstandard library (and other) in Fedora and EPEL.
> 
> So, this kind of reports about issue in bundling is a bit weird.

Figuring that out requires looking in a little depth at how the package is built, and is not the upstream default way of doing things, so it's understandable.

I also look after libssh2 and get bugs raised on that whenever libssh (a completely different codebase) has a security issue, so I don't think anyone's looking at things in any detail at all.