CVE-2024-21646

NameCVE-2024-21646
DescriptionAzure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP library is used by several clients to implement AMQP protocol communication. When clients using this library receive a crafted binary type data, an integer overflow or wraparound or memory safety issue can occur and may cause remote code execution. This vulnerability has been patched in release 2024-01-01.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
azure-uamqp-python (PTS)bullseye1.2.13-1vulnerable
bookworm1.5.3-1vulnerable
sid, trixie1.6.9-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
azure-uamqp-pythonsource(unstable)1.6.8-1

Notes

https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-j29m-p99g-7hpv
https://github.com/Azure/azure-uamqp-c/commit/12ddb3a31a5a97f55b06fa5d74c59a1d84ad78fe
https://github.com/Azure/azure-uamqp-python/issues/372
https://github.com/Azure/azure-uamqp-python/commit/c85efcd12c249999eb8a1064b7d4fd8c7715c780 (v1.6.7)
Search for package or bug name: Reporting problems