CVE-2024-26134: Potential buffer overflow in CBOR2 decoder
(updated )
Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was not able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still)
References
- github.com/advisories/GHSA-375g-39jq-vq7m
- github.com/agronholm/cbor2
- github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
- github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df
- github.com/agronholm/cbor2/pull/204
- github.com/agronholm/cbor2/releases/tag/5.6.2
- github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m
- github.com/pypa/advisory-database/tree/main/vulns/cbor2/PYSEC-2024-155.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY
- nvd.nist.gov/vuln/detail/CVE-2024-26134
Detect and mitigate CVE-2024-26134 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →