Bug 1120631 (CVE-2018-20534) - VUL-1: CVE-2018-20534: libsolv: illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a
Summary: VUL-1: CVE-2018-20534: libsolv: illegal address access at src/pool.h (functio...
Status: RESOLVED INVALID
Alias: CVE-2018-20534
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Michael Schröder
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/221947/
Whiteboard: CVSSv3:SUSE:CVE-2018-20534:3.3:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-03 12:10 UTC by Karol Babioch
Modified: 2021-06-02 14:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-01-03 12:10:41 UTC
There is an illegal address access at src/pool.h (function
pool_whatprovides) in libsolv.a in libsolv through 0.7.2 that will
cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20534
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20534
Comment 1 Karol Babioch 2019-01-03 13:21:29 UTC
Not quite sure which commit of the upstream pull request this CVE refers to. The file / function that are referenced by the CVE (src/pool.h) are not touched at all ...

https://github.com/openSUSE/libsolv/pull/291/files

Michael, do you happen to know something about this ;-)?
Comment 2 Michael Schröder 2019-01-30 15:07:38 UTC
It's probably this commit:

commit 6de825c4d27022e48570824f0be77132c5b6d45a
Author: Jaroslav Rohel <jrohel@redhat.com>
Date:   Tue Dec 11 10:27:15 2018 +0100

    Fix: testsolv segfaults
    
    ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f0 (pc 0x7f31501d3bd2 bp 0x7ffcfe4d4a50 sp 0x7ffcfe4d4a30 T0)
    0 0x7f31501d3bd1 in pool_whatprovides /home/company/real_sanitize/libsolv-master/src/pool.h:331
    1 0x7f31501d895e in testcase_str2solvid /home/company/real_sanitize/libsolv-master/ext/testcase.c:793
    2 0x7f31501e8388 in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2807
    3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148
    4 0x7f314fa8da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)
    
    ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5af9e7815f bp 0x7ffc4c843a40 sp 0x7ffc4c8436c0 T0)
    0 0x7f5af9e7815e in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2799
    1 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148
    2 0x7f5af971da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    3 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)

diff --git a/ext/testcase.c b/ext/testcase.c
index fe2636cb..c8dd14ee 100644
--- a/ext/testcase.c
+++ b/ext/testcase.c
@@ -2795,7 +2795,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
        {
          int i = strlen(pieces[1]);
          s = strchr(pieces[1], '(');
-         if (!s && pieces[1][i - 1] != ')')
+         if (!s || pieces[1][i - 1] != ')')
            {
              pool_error(pool, 0, "testcase_read: bad namespace '%s'", pieces[1]);
            }
Comment 3 Karol Babioch 2019-01-31 14:02:01 UTC
Which But the patch only touches "ext/testcase.c", not src/pool.h as claimed by the CVE.

Is this worthfile to fix and you will eventually do, or is it not important enough from your point of view?
Comment 4 Michael Schröder 2019-01-31 14:45:40 UTC
So the CVE is wrong. It crashes in pool.h but the fix is in testcase.c. Se the commit.

(All this are no security issues anyway...)
Comment 5 Karol Babioch 2019-02-08 10:37:33 UTC
This only affects the test suite and not the underlying library. It cannot be exploited in any real-world application and hence should not be considered as vulnerability in libsolv itself.
Comment 12 Swamp Workflow Management 2019-07-25 16:12:19 UTC
SUSE-SU-2019:1972-1: An update that solves three vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
SUSE OpenStack Cloud 8 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Linux Enterprise Server 12-SP5 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Linux Enterprise Server 12-SP4 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Linux Enterprise Desktop 12-SP5 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Linux Enterprise Desktop 12-SP4 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE Enterprise Storage 5 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4
SUSE CaaS Platform 3.0 (src):    libsolv-0.6.36-2.16.2, libzypp-16.20.0-2.39.4, zypper-1.13.51-21.26.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-07-31 22:13:46 UTC
SUSE-SU-2019:2030-1: An update that solves three vulnerabilities and has 41 fixes is now available.

Category: security (moderate)
Bug References: 1047962,1049826,1053177,1065022,1099019,1102261,1110542,1111319,1112911,1113296,1114908,1115341,1116840,1118758,1119373,1119820,1119873,1120263,1120463,1120629,1120630,1120631,1121611,1122062,1122471,1123137,1123681,1123843,1123865,1123967,1124897,1125415,1127026,1127155,1127220,1130161,1131823,1135749,1137977,663358,764147,965786,978193,993025
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    PackageKit-1.1.10-4.10.4
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libsolv-0.7.5-3.12.2, libyui-ncurses-pkg-2.48.5.2-3.5.2, libyui-qt-pkg-2.45.15.2-3.5.3, libzypp-17.12.0-3.23.6, zypper-1.14.28-3.18.6
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    PackageKit-1.1.10-4.10.4, libsolv-0.7.5-3.12.2, libzypp-17.12.0-3.23.6, yast2-pkg-bindings-devel-doc-4.0.13-3.7.2, zypper-1.14.28-3.18.6
SUSE Linux Enterprise Module for Development Tools 15 (src):    libsolv-0.7.5-3.12.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    PackageKit-1.1.10-4.10.4, libyui-qt-pkg-2.45.15.2-3.5.3
SUSE Linux Enterprise Module for Basesystem 15 (src):    libsolv-0.7.5-3.12.2, libyui-ncurses-pkg-2.48.5.2-3.5.2, libyui-ncurses-pkg-doc-2.48.5.2-3.5.3, libyui-qt-pkg-2.45.15.2-3.5.3, libyui-qt-pkg-doc-2.45.15.2-3.5.3, libzypp-17.12.0-3.23.6, yast2-pkg-bindings-4.0.13-3.7.2, zypper-1.14.28-3.18.6
SUSE Linux Enterprise Installer 15 (src):    libsolv-0.7.5-3.12.2, libyui-ncurses-pkg-2.48.5.2-3.5.2, libyui-qt-pkg-2.45.15.2-3.5.3, libzypp-17.12.0-3.23.6, yast2-pkg-bindings-4.0.13-3.7.2, zypper-1.14.28-3.18.6

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-08-18 13:14:54 UTC
openSUSE-SU-2019:1927-1: An update that solves three vulnerabilities and has 41 fixes is now available.

Category: security (moderate)
Bug References: 1047962,1049826,1053177,1065022,1099019,1102261,1110542,1111319,1112911,1113296,1114908,1115341,1116840,1118758,1119373,1119820,1119873,1120263,1120463,1120629,1120630,1120631,1121611,1122062,1122471,1123137,1123681,1123843,1123865,1123967,1124897,1125415,1127026,1127155,1127220,1130161,1131823,1135749,1137977,663358,764147,965786,978193,993025
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
openSUSE Leap 15.0 (src):    PackageKit-1.1.10-lp150.11.1, libsolv-0.7.5-lp150.7.1, libyui-ncurses-pkg-2.48.5.2-lp150.7.1, libyui-qt-pkg-2.45.15.2-lp150.7.1, libzypp-17.12.0-lp150.2.13.1, yast2-pkg-bindings-4.0.13-lp150.2.13.1, zypper-1.14.28-lp150.2.13.1
Comment 15 Swamp Workflow Management 2019-09-02 10:35:32 UTC
SUSE-SU-2019:2265-1: An update that solves three vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 1049825,1109893,1110542,1111319,1112911,1113296,1116995,1120629,1120630,1120631,1127155,1131823,1134226,1137977,1140039,1145521
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE OpenStack Cloud 8 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE OpenStack Cloud 7 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server 12-SP4 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Enterprise Storage 5 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE Enterprise Storage 4 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
SUSE CaaS Platform 3.0 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2
HPE Helion Openstack 8 (src):    libsolv-0.6.36-2.27.19.8, libzypp-16.20.2-27.60.4, zypper-1.13.54-18.40.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-10-22 16:56:10 UTC
SUSE-RU-2019:2742-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: recommended (important)
Bug References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    PackageKit-1.1.10-12.3.5
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    libsolv-0.7.6-3.7.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    PackageKit-1.1.10-12.3.5, libsolv-0.7.6-3.7.2, libzypp-17.15.0-3.9.1, yast2-pkg-bindings-devel-doc-4.1.2-3.3.5, zypper-1.14.30-3.7.2
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    libsolv-0.7.6-3.7.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    PackageKit-1.1.10-12.3.5, libyui-qt-pkg-2.45.27-3.3.5
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libsolv-0.7.6-3.7.2, libyui-ncurses-pkg-2.48.9-7.3.5, libyui-ncurses-pkg-doc-2.48.9-7.3.3, libyui-qt-pkg-2.45.27-3.3.5, libyui-qt-pkg-doc-2.45.27-3.3.3, libzypp-17.15.0-3.9.1, yast2-pkg-bindings-4.1.2-3.3.5, zypper-1.14.30-3.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-10-27 23:24:40 UTC
openSUSE-RU-2019:2391-1: An update that solves three vulnerabilities and has 18 fixes is now available.

Category: recommended (important)
Bug References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
Sources used:
openSUSE Leap 15.1 (src):    PackageKit-1.1.10-lp151.8.6.1, libsolv-0.7.6-lp151.2.3.2, libyui-ncurses-pkg-2.48.9-lp151.2.3.1, libyui-ncurses-pkg-doc-2.48.9-lp151.2.3.1, libyui-qt-pkg-2.45.27-lp151.2.3.1, libyui-qt-pkg-doc-2.45.27-lp151.2.3.1, libzypp-17.15.0-lp151.2.3.2, yast2-pkg-bindings-4.1.2-lp151.2.3.1, yast2-pkg-bindings-devel-doc-4.1.2-lp151.2.3.1, zypper-1.14.30-lp151.2.3.1
Comment 18 Swamp Workflow Management 2020-09-16 19:16:07 UTC
SUSE-SU-2020:2660-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1120629,1120630,1120631,1127155,1131823,1137977
CVE References: CVE-2018-20532,CVE-2018-20533,CVE-2018-20534
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    libsolv-0.6.36-2.30.1
SUSE OpenStack Cloud Crowbar 8 (src):    libsolv-0.6.36-2.30.1
SUSE OpenStack Cloud 9 (src):    libsolv-0.6.36-2.30.1
SUSE OpenStack Cloud 8 (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Server 12-SP5 (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    libsolv-0.6.36-2.30.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    libsolv-0.6.36-2.30.1
SUSE Enterprise Storage 5 (src):    libsolv-0.6.36-2.30.1
HPE Helion Openstack 8 (src):    libsolv-0.6.36-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.