CVE-2024-40897

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40897
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40897.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-40897
Related
Published
2024-07-26T06:15:02Z
Modified
2024-12-05T15:37:59.675387Z
Severity
  • 6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially crafted file with the affected ORC compiler, an arbitrary code may be executed on the developer's build environment. This may lead to compromise of developer machines or CI build environments.

References

Affected packages

Alpine:v3.17 / orc

Package

Name
orc
Purl
pkg:apk/alpine/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.39-r0

Affected versions

0.*

0.4.14-r0
0.4.16-r0
0.4.17-r0
0.4.18-r0
0.4.19-r0
0.4.22-r0
0.4.23-r0
0.4.24-r0
0.4.25-r0
0.4.26-r0
0.4.27-r0
0.4.28-r0
0.4.29-r0
0.4.30-r0
0.4.31-r0
0.4.31-r1
0.4.31-r2
0.4.32-r0
0.4.32-r1
0.4.32-r2
0.4.33-r0

Alpine:v3.18 / orc

Package

Name
orc
Purl
pkg:apk/alpine/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.39-r0

Affected versions

0.*

0.4.14-r0
0.4.16-r0
0.4.17-r0
0.4.18-r0
0.4.19-r0
0.4.22-r0
0.4.23-r0
0.4.24-r0
0.4.25-r0
0.4.26-r0
0.4.27-r0
0.4.28-r0
0.4.29-r0
0.4.30-r0
0.4.31-r0
0.4.31-r1
0.4.31-r2
0.4.32-r0
0.4.32-r1
0.4.32-r2
0.4.33-r0
0.4.33-r1
0.4.34-r0

Alpine:v3.19 / orc

Package

Name
orc
Purl
pkg:apk/alpine/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.39-r0

Affected versions

0.*

0.4.14-r0
0.4.16-r0
0.4.17-r0
0.4.18-r0
0.4.19-r0
0.4.22-r0
0.4.23-r0
0.4.24-r0
0.4.25-r0
0.4.26-r0
0.4.27-r0
0.4.28-r0
0.4.29-r0
0.4.30-r0
0.4.31-r0
0.4.31-r1
0.4.31-r2
0.4.32-r0
0.4.32-r1
0.4.32-r2
0.4.33-r0
0.4.33-r1
0.4.34-r0

Alpine:v3.20 / orc

Package

Name
orc
Purl
pkg:apk/alpine/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.39-r0

Affected versions

0.*

0.4.14-r0
0.4.16-r0
0.4.17-r0
0.4.18-r0
0.4.19-r0
0.4.22-r0
0.4.23-r0
0.4.24-r0
0.4.25-r0
0.4.26-r0
0.4.27-r0
0.4.28-r0
0.4.29-r0
0.4.30-r0
0.4.31-r0
0.4.31-r1
0.4.31-r2
0.4.32-r0
0.4.32-r1
0.4.32-r2
0.4.33-r0
0.4.33-r1
0.4.34-r0
0.4.35-r0
0.4.37-r0

Alpine:v3.21 / orc

Package

Name
orc
Purl
pkg:apk/alpine/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.4.39-r0

Affected versions

0.*

0.4.14-r0
0.4.16-r0
0.4.17-r0
0.4.18-r0
0.4.19-r0
0.4.22-r0
0.4.23-r0
0.4.24-r0
0.4.25-r0
0.4.26-r0
0.4.27-r0
0.4.28-r0
0.4.29-r0
0.4.30-r0
0.4.31-r0
0.4.31-r1
0.4.31-r2
0.4.32-r0
0.4.32-r1
0.4.32-r2
0.4.33-r0
0.4.33-r1
0.4.34-r0
0.4.35-r0
0.4.37-r0
0.4.38-r0

Debian:11 / orc

Package

Name
orc
Purl
pkg:deb/debian/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:0.*

1:0.4.32-1
1:0.4.32-2
1:0.4.33-1
1:0.4.33-2
1:0.4.34-1
1:0.4.34-2
1:0.4.34-3
1:0.4.34-3.1~exp1
1:0.4.34-4
1:0.4.34-4.1
1:0.4.34-4.2
1:0.4.34-4.3
1:0.4.38-1
1:0.4.39-1
1:0.4.39-2
1:0.4.39-2+hurd.1
1:0.4.39-3
1:0.4.40-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / orc

Package

Name
orc
Purl
pkg:deb/debian/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:0.*

1:0.4.33-2
1:0.4.34-1
1:0.4.34-2
1:0.4.34-3
1:0.4.34-3.1~exp1
1:0.4.34-4
1:0.4.34-4.1
1:0.4.34-4.2
1:0.4.34-4.3
1:0.4.38-1
1:0.4.39-1
1:0.4.39-2
1:0.4.39-2+hurd.1
1:0.4.39-3
1:0.4.40-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / orc

Package

Name
orc
Purl
pkg:deb/debian/orc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:0.4.39-1

Affected versions

1:0.*

1:0.4.33-2
1:0.4.34-1
1:0.4.34-2
1:0.4.34-3
1:0.4.34-3.1~exp1
1:0.4.34-4
1:0.4.34-4.1
1:0.4.34-4.2
1:0.4.34-4.3
1:0.4.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / gitlab.freedesktop.org/gstreamer/orc

Affected ranges

Type
GIT
Repo
https://gitlab.freedesktop.org/gstreamer/orc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.4.23
0.4.29
0.4.30
0.4.31
0.4.32
0.4.33
0.4.34
0.4.35
0.4.36
0.4.37
0.4.38

Other

merge-base

orc-0.*

orc-0.4.0
orc-0.4.10
orc-0.4.11
orc-0.4.12
orc-0.4.13
orc-0.4.14
orc-0.4.15
orc-0.4.16
orc-0.4.17
orc-0.4.18
orc-0.4.19
orc-0.4.2
orc-0.4.20
orc-0.4.21
orc-0.4.22
orc-0.4.23
orc-0.4.24
orc-0.4.25
orc-0.4.26
orc-0.4.27
orc-0.4.28
orc-0.4.3
orc-0.4.4
orc-0.4.5
orc-0.4.6
orc-0.4.7
orc-0.4.8
orc-0.4.9