2265034 – (CVE-2024-26134) CVE-2024-26134 cbor2: Potential buffer overflow in CBOR2 decoder

Bug 2265034 (CVE-2024-26134) - CVE-2024-26134 cbor2: Potential buffer overflow in CBOR2 decoder

Summary: CVE-2024-26134 cbor2: Potential buffer overflow in CBOR2 decoder

Keywords:
Status:	NEW
Alias:	CVE-2024-26134
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2265035 2265036
Blocks:
TreeView+	depends on / blocked

Reported:	2024-02-20 03:08 UTC by Avinash Hanwate
Modified:	2024-02-20 03:11 UTC (History)
CC List:	0 users
Fixed In Version:	cbor2 5.6.2
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-02-20 03:08:16 UTC

cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.

https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
https://github.com/agronholm/cbor2/pull/204
https://github.com/agronholm/cbor2/releases/tag/5.6.2
https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m

Comment 1 Avinash Hanwate 2024-02-20 03:11:47 UTC

Created python-cbor2 tracking bugs for this issue:

Affects: epel-all [bug 2265035]
Affects: fedora-all [bug 2265036]

Note You need to log in before you can comment on or make changes to this bug.