Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-29195[0]: | The azure-c-shared-utility is a C library for AMQP/MQTT | communication to Azure Cloud Services. This library may be used by | the Azure IoT C SDK for communication between IoT Hub and IoT Hub | devices. An attacker can cause an integer wraparound or under- | allocation or heap buffer overflow due to vulnerabilities in | parameter checking mechanism, by exploiting the buffer length | parameter in Azure C SDK, which may lead to remote code execution. | Requirements for RCE are 1. Compromised Azure account allowing | malformed payloads to be sent to the device via IoT Hub service, 2. | By passing IoT hub service max message payload limit of 128KB, and | 3. Ability to overwrite code space with remote code. Fixed in commit | https://github.com/Azure/azure-c-shared- | utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2. https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29195 https://www.cve.org/CVERecord?id=CVE-2024-29195 Please adjust the affected versions in the BTS as needed.