Bug 1197581 (CVE-2022-1106)

Summary:	VUL-0: CVE-2022-1106: mruby: use after free in mrb_vm_exec
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Thomas Leroy <thomas.leroy>
Component:	Security	Assignee:	Ferdinand Thiessen <rpm>
Status:	RESOLVED WORKSFORME	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/327317/
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Thomas Leroy 2022-03-28 08:52:54 UTC

CVE-2022-1106

use after free in mrb_vm_exec in GitHub repository mruby/mruby prior to 3.2.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1106
https://github.com/mruby/mruby/commit/7f5a490d09f4d56801ac3a3e4e39e03e1471b44c
http://www.cvedetails.com/cve/CVE-2022-1106/
https://huntr.dev/bounties/16b9d0ea-71ed-41bc-8a88-2deb4c20be8f

Comment 1 Thomas Leroy 2022-03-28 08:54:17 UTC

No version containing the fixing commit yet. openSUSE:Factory should be affected

Comment 2 Ferdinand Thiessen 2022-04-26 19:27:09 UTC

Version on Factory not affected, POC does not work.
Probably only the git version is affected not the 3.0 release (or fixed by other patch).

> % mruby POC
> trace (most recent call last):
> POC:1: undefined method 'cmp' (NoMethodError)