Bug 1197581 (CVE-2022-1106)

Summary: VUL-0: CVE-2022-1106: mruby: use after free in mrb_vm_exec
Product: [openSUSE] openSUSE Tumbleweed Reporter: Thomas Leroy <thomas.leroy>
Component: SecurityAssignee: Ferdinand Thiessen <rpm>
Status: RESOLVED WORKSFORME QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/327317/
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Thomas Leroy 2022-03-28 08:54:17 UTC
No version containing the fixing commit yet. openSUSE:Factory should be affected
Comment 2 Ferdinand Thiessen 2022-04-26 19:27:09 UTC
Version on Factory not affected, POC does not work.
Probably only the git version is affected not the 3.0 release (or fixed by other patch).

> % mruby POC
> trace (most recent call last):
> POC:1: undefined method 'cmp' (NoMethodError)