Security update for keybase-client SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0194-2 Final 1 1 2024-07-08T18:01:42Z current 2024-07-08T18:01:42Z 2024-07-08T18:01:42Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for keybase-client This update for keybase-client fixes the following issues: Update to version 6.2.8 * Update client CA * Fix incomplete locking in config file handling. - Update the Image dependency to address CVE-2023-29408 / boo#1213928. This is done via the new update-image-tiff.patch. - Limit parallel test execution as that seems to cause failing builds on OBS that don't occur locally. - Integrate KBFS packages previously build via own source package * Upstream integrated these into the same source. * Also includes adding kbfs-related patches ensure-mount-dir-exists.patch and ensure-service-stop-unmounts-filesystem.patch. - Upgrade Go version used for compilation to 1.19. - Use Systemd unit file from upstream source. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-194 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PKFUM343ZIFFU5562L2AAJWE2OVIJBOH/ E-Mail link for openSUSE-SU-2024:0194-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1213928 SUSE Bug 1213928 https://www.suse.com/security/cve/CVE-2023-29408/ SUSE CVE CVE-2023-29408 page SUSE Package Hub 15 SP5 SUSE Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 kbfs-6.2.8-bp156.2.3.1 kbfs-git-6.2.8-bp156.2.3.1 kbfs-tool-6.2.8-bp156.2.3.1 keybase-client-6.2.8-bp156.2.3.1 kbfs-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP5 kbfs-git-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP5 kbfs-tool-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP5 keybase-client-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP5 kbfs-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 kbfs-git-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 kbfs-tool-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 keybase-client-6.2.8-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 kbfs-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.5 kbfs-git-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.5 kbfs-tool-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.5 keybase-client-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.5 kbfs-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.6 kbfs-git-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.6 kbfs-tool-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.6 keybase-client-6.2.8-bp156.2.3.1 as a component of openSUSE Leap 15.6 The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU. CVE-2023-29408 SUSE Package Hub 15 SP5:kbfs-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP5:kbfs-git-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP5:kbfs-tool-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP5:keybase-client-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP6:kbfs-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP6:kbfs-git-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP6:kbfs-tool-6.2.8-bp156.2.3.1 SUSE Package Hub 15 SP6:keybase-client-6.2.8-bp156.2.3.1 openSUSE Leap 15.5:kbfs-6.2.8-bp156.2.3.1 openSUSE Leap 15.5:kbfs-git-6.2.8-bp156.2.3.1 openSUSE Leap 15.5:kbfs-tool-6.2.8-bp156.2.3.1 openSUSE Leap 15.5:keybase-client-6.2.8-bp156.2.3.1 openSUSE Leap 15.6:kbfs-6.2.8-bp156.2.3.1 openSUSE Leap 15.6:kbfs-git-6.2.8-bp156.2.3.1 openSUSE Leap 15.6:kbfs-tool-6.2.8-bp156.2.3.1 openSUSE Leap 15.6:keybase-client-6.2.8-bp156.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PKFUM343ZIFFU5562L2AAJWE2OVIJBOH/ https://www.suse.com/security/cve/CVE-2023-29408.html CVE-2023-29408 https://bugzilla.suse.com/1213928 SUSE Bug 1213928