Security update for orc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2643-1 Final 1 1 2024-07-30T08:05:06Z current 2024-07-30T08:05:06Z 2024-07-30T08:05:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for orc This update for orc fixes the following issues: - CVE-2024-40897: Fixed stack-based buffer overflow in the orc compiler when formatting error messages for certain input files (bsc#1228184) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2643,SUSE-SLE-SDK-12-SP5-2024-2643,SUSE-SLE-SERVER-12-SP5-2024-2643 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242643-1/ Link for SUSE-SU-2024:2643-1 https://lists.suse.com/pipermail/sle-updates/2024-July/036176.html E-Mail link for SUSE-SU-2024:2643-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1228184 SUSE Bug 1228184 https://www.suse.com/security/cve/CVE-2024-40897/ SUSE CVE CVE-2024-40897 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 SP5 liborc-0_4-0-0.4.21-3.3.1 liborc-0_4-0-32bit-0.4.21-3.3.1 liborc-0_4-0-64bit-0.4.21-3.3.1 orc-0.4.21-3.3.1 orc-doc-0.4.21-3.3.1 liborc-0_4-0-0.4.21-3.3.1 as a component of SUSE Linux Enterprise Server 12 SP5 liborc-0_4-0-32bit-0.4.21-3.3.1 as a component of SUSE Linux Enterprise Server 12 SP5 liborc-0_4-0-0.4.21-3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 liborc-0_4-0-32bit-0.4.21-3.3.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 orc-0.4.21-3.3.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments. CVE-2024-40897 SUSE Linux Enterprise Server 12 SP5:liborc-0_4-0-0.4.21-3.3.1 SUSE Linux Enterprise Server 12 SP5:liborc-0_4-0-32bit-0.4.21-3.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:liborc-0_4-0-0.4.21-3.3.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:liborc-0_4-0-32bit-0.4.21-3.3.1 SUSE Linux Enterprise Software Development Kit 12 SP5:orc-0.4.21-3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242643-1/ https://www.suse.com/security/cve/CVE-2024-40897.html CVE-2024-40897 https://bugzilla.suse.com/1228184 SUSE Bug 1228184