CVE-2024-42333

Name	CVE-2024-42333
Description	The researcher is showing that it is possible to leak a small amount of Zabbix Server memory using an out of bounds read in src/libs/zbxmedia/email.c
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3984-1, ELA-1273-1
Debian Bugs	1088689

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
zabbix (PTS)	jessie, jessie (lts)	1:2.2.23+dfsg-0+deb8u9	fixed
	stretch (security)	1:3.0.32+dfsg-0+deb9u3	vulnerable
	stretch (lts), stretch	1:3.0.32+dfsg-0+deb9u8	fixed
	buster (security), buster, buster (lts)	1:4.0.4+dfsg-1+deb10u5	vulnerable
	bullseye	1:5.0.8+dfsg-1	vulnerable
	bullseye (security)	1:5.0.45+dfsg-1+deb11u1	fixed
	bookworm	1:6.0.14+dfsg-1	vulnerable
	sid, trixie	1:7.0.6+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
zabbix	source	jessie	1:2.2.23+dfsg-0+deb8u9		ELA-1273-1
zabbix	source	stretch	1:3.0.32+dfsg-0+deb9u8		ELA-1273-1
zabbix	source	buster	(unfixed)	end-of-life
zabbix	source	bullseye	1:5.0.45+dfsg-1+deb11u1		DLA-3984-1
zabbix	source	(unstable)	1:7.0.5+dfsg-1			1088689

Notes

https://support.zabbix.com/browse/ZBX-25629
Fixed by https://github.com/zabbix/zabbix/commit/72d2ce61872fcbace8f8dfdabc0568c99980989d (7.0.4rc1)
Fixed by (merge commit) https://github.com/zabbix/zabbix/commit/c4ea57b823cb6a4c2cb0796f500e862fbb6a46ea (6.0.35rc1)