Bugzilla – Bug 1189060
VUL-0: CVE-2021-3622: hivex: hivex: stack overflow due to recursive call of _get_children()
Last modified: 2022-04-14 15:29:00 UTC
A flaw was found in libhivex. A stack overflow occurs as the children of each listed node grows. This causes the _get_children function to continue calling until it eventually overflows the stack and causes the program to crash. References: https://bugzilla.redhat.com/show_bug.cgi?id=1975489 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3622
Affected packages: - SUSE:SLE-12:Update/hivex 1.3.10 - SUSE:SLE-15:Update/hivex 1.3.14 - openSUSE:Factory/hivex 1.3.20 Please backport the patch [0] to SLE* products and upgrade Factory to v.1.3.21. [0] https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255.patch
Charles, could you handle this one?
This is an autogenerated message for OBS integration: This bug (1189060) was mentioned in https://build.opensuse.org/request/show/910529 Factory / hivex
Submitted to all relevant branches.
SUSE-SU-2021:3201-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1189060 CVE References: CVE-2021-3622 JIRA References: Sources used: SUSE MicroOS 5.0 (src): hivex-1.3.14-5.6.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): hivex-1.3.14-5.6.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): hivex-1.3.14-5.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): hivex-1.3.14-5.6.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): hivex-1.3.14-5.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3201-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1189060 CVE References: CVE-2021-3622 JIRA References: Sources used: openSUSE Leap 15.3 (src): hivex-1.3.14-5.6.1
SUSE-SU-2021:3210-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1189060 CVE References: CVE-2021-3622 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): hivex-1.3.10-5.7.1 SUSE Linux Enterprise Server 12-SP5 (src): hivex-1.3.10-5.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1319-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1189060 CVE References: CVE-2021-3622 JIRA References: Sources used: openSUSE Leap 15.2 (src): hivex-1.3.14-lp152.4.6.1
SUSE-SU-2021:3201-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1189060 CVE References: CVE-2021-3622 JIRA References: Sources used: SUSE MicroOS 5.1 (src): hivex-1.3.14-5.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done.