1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1101014: open62541: CVE-2024-53429

    From Salvatore Bonaccorso@21:1/5 to All on Fri Mar 21 20:20:01 2025
    Source: open62541
    Version: 1.4.6-1
    Severity: grave
    Tags: security upstream
    Forwarded: https://github.com/open62541/open62541/issues/6825
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for open62541.

    CVE-2024-53429[0]:
    | Open62541 v1.4.6 is has an assertion failure in fuzz_binary_decode,
    | which leads to a crash.

    I'm filling this at RC level, it's technically not really RC, but
    open62541 is fresh aiming for trixie, and it would be ideal to start
    without a CVE.

    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-53429
    https://www.cve.org/CVERecord?id=CVE-2024-53429
    [1] https://github.com/open62541/open62541/issues/6825
    [2] https://github.com/open62541/open62541/commit/b9473527623125b5ca264dae4551f8cc414b3bc3

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Julius Pfrommer on Fri Mar 21 23:10:01 2025
    Control: severity -1 normal

    Hi Julius,

    On Fri, Mar 21, 2025 at 10:31:11PM +0100, Julius Pfrommer wrote:
    Salvatore,

    This is pretty bare-bones for a CVE.
    And it would not have become one if the submitter had coordinated withe upstream project.
    It's essentially a false positive.

    The crasher happens in the fuzzing scaffolding, not in the library itself.
    In this case, a "nice to have" consistency behavior had been added to the fuzzing tests as an assert.
    Fixing this made the library better. But this was no segfault that could happen in the wild.

    Thanks for reporting back quickly. I will lower the severity to
    normal.

    We are working on updating the package to the v1.4.11 upstream release.
    That will fix this.

    Ack.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)