1211889 – (CVE-2023-33461) VUL-0: CVE-2023-33461: iniparser: NULL pointer dereference in iniparser_getboolean()

Bug 1211889 (CVE-2023-33461) - VUL-0: CVE-2023-33461: iniparser: NULL pointer dereference in iniparser_getboolean()

Summary: VUL-0: CVE-2023-33461: iniparser: NULL pointer dereference in iniparser_getbo...

Status:	RESOLVED FIXED

Alias:	CVE-2023-33461

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/368084/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-33461:5.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-06-01 08:41 UTC by Carlos López
Modified:	2024-02-22 14:34 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2023-06-01 08:41:57 UTC

CVE-2023-33461

iniparser v4.1 is vulnerable to NULL Pointer Dereference in function
iniparser_getlongint which misses check NULL for function iniparser_getstring's
return.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33461
https://www.cve.org/CVERecord?id=CVE-2023-33461
https://github.com/ndevilla/iniparser/issues/144

Comment 1 Carlos López 2023-06-01 08:46:19 UTC

Relevant for:
- SUSE:SLE-12:Update/iniparser
- SUSE:SLE-15-SP5:Update/iniparser
- openSUSE:Backports:SLE-15-SP4/iniparser
- openSUSE:Factory/iniparser

Comment 3 Maintenance Automation 2023-06-28 16:30:17 UTC

SUSE-SU-2023:2692-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1211889
CVE References: CVE-2023-33461
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): iniparser-3.1.0.git20140619_c5beb80a-3.3.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): iniparser-3.1.0.git20140619_c5beb80a-3.3.1
SUSE Linux Enterprise Server 12 SP5 (src): iniparser-3.1.0.git20140619_c5beb80a-3.3.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): iniparser-3.1.0.git20140619_c5beb80a-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Maintenance Automation 2023-06-30 16:30:17 UTC

SUSE-SU-2023:2749-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1211889
CVE References: CVE-2023-33461
Sources used:
openSUSE Leap 15.5 (src): iniparser-4.1-150500.4.3.1
Server Applications Module 15-SP5 (src): iniparser-4.1-150500.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 OBSbugzilla Bot 2023-07-13 16:35:03 UTC

This is an autogenerated message for OBS integration:
This bug (1211889) was mentioned in
https://build.opensuse.org/request/show/1098556 Backports:SLE-15-SP4 / iniparser

Comment 6 Marcus Meissner 2023-07-17 19:05:34 UTC

openSUSE-SU-2023:0183-1: An update that fixes one vulnerability is now available.\n\nCategory: security (moderate)\nBug References: 1211889\nCVE References: CVE-2023-33461\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    iniparser-4.1-bp154.2.3.1\n\n

Comment 7 Antonio Teixeira 2023-07-21 12:09:14 UTC

Fixed in affected codestreams. Closing.

Comment 11 Carlos López 2024-02-22 14:34:22 UTC

Done, closing.