2312917 – (CVE-2024-8948) CVE-2024-8948 micropython: heap buffer overflow via int_to_bytes

Bug 2312917 (CVE-2024-8948) - CVE-2024-8948 micropython: heap buffer overflow via int_to_bytes

Summary: CVE-2024-8948 micropython: heap buffer overflow via int_to_bytes

Keywords:
Status:	NEW
Alias:	CVE-2024-8948
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2312921
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-17 19:20 UTC by OSIDB Bzimport
Modified:	2024-09-17 19:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-09-17 19:20:54 UTC

A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpz_as_bytes of the file py/objint.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 908ab1ceca15ee6fd0ef82ca4cba770a3ec41894. It is recommended to apply a patch to fix this issue. In micropython objint component, converting zero from int to bytes leads to heap buffer-overflow-write at mpz_as_bytes.

Note You need to log in before you can comment on or make changes to this bug.