Bug 1186237 - (CVE-2020-23856) VUL-0: CVE-2020-23856: cflow: Use-after-Free vulnerability in cflow 1.6
VUL-0: CVE-2020-23856: cflow: Use-after-Free vulnerability in cflow 1.6
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Development
Leap 15.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Petr Uzel
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-05-19 10:08 UTC by Gianluca Gabrielli
Modified: 2021-05-19 14:44 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-19 10:08:53 UTC

Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, int line)
function at src/parser.c, which could cause a denial of service via the pointer
variable caller->callee.

Comment 1 Gianluca Gabrielli 2021-05-19 10:13:41 UTC
This might affect the following packages:

 - openSUSE:Factory/cflow     1.6
 - openSUSE:Leap:15.2/cflow   1.5

I've not been able to find any official statement from cflow devs. I requested additional info to the bug reporter [0].

Last cflow release is version 1.6 (released on February 23, 2019).

[0] https://github.com/yangjiageng/PoC/issues/1