Bug 1122841 (CVE-2019-3817)

Summary: VUL-0: CVE-2019-3817: libcomps: use after free when merging two objmrtrees
Product: [openSUSE] openSUSE Distribution Reporter: Karol Babioch <karol>
Component: SecurityAssignee: Neal Gompa <ngompa13>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223533/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2019-01-23 07:39:31 UTC
There is a use-after-free in libcomps library in comps_objmradix.c:comps_objmrtree_unite() function. When two ObjMRTrees are merged, pair variable may be freed and accessed again at the next iteration. An attacker who is able to craft a malicious comps XML file may use this flaw to crash the application or potentially execute code.

Upstream issue:
https://github.com/rpm-software-management/libcomps/issues/41

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1668005
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3817
Comment 1 Swamp Workflow Management 2019-02-07 13:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1122841) was mentioned in
https://build.opensuse.org/request/show/672448 Factory / libcomps
Comment 2 Swamp Workflow Management 2019-02-07 14:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1122841) was mentioned in
https://build.opensuse.org/request/show/672481 15.1 / libcomps
Comment 3 Swamp Workflow Management 2019-03-03 19:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1122841) was mentioned in
https://build.opensuse.org/request/show/681119 15.0 / libcomps
Comment 4 Swamp Workflow Management 2019-03-11 17:11:37 UTC
openSUSE-SU-2019:0323-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1122841
CVE References: CVE-2019-3817
Sources used:
openSUSE Leap 15.0 (src):    libcomps-0.1.8-lp150.2.3.1
Comment 5 Swamp Workflow Management 2019-03-15 11:09:11 UTC
openSUSE-SU-2019:0328-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1122841
CVE References: CVE-2019-3817
Sources used:
openSUSE Backports SLE-15 (src):    libcomps-0.1.8-bp150.3.3.1
Comment 6 Neal Gompa 2019-04-07 19:37:10 UTC
This is fixed in all openSUSE distribution releases now.