Bug 1195629 - (CVE-2021-45429) VUL-0: CVE-2021-45429: yara: Buffer Overflow vulnerability
(CVE-2021-45429)
VUL-0: CVE-2021-45429: yara: Buffer Overflow vulnerability
Status: REOPENED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Greg Freemyer
Security Team bot
https://smash.suse.de/issue/322740/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-07 11:39 UTC by Robert Frohl
Modified: 2022-02-09 15:47 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-02-07 11:39:33 UTC
rh#2051367

A Buffer Overflow vulnerability exists in VirusTotal YARA git commit: 605b2edf07ed8eb9a2c61ba22eb2e7c362f47ba7 via yr_set_configuration in yara/libyara/libyara.c, which could cause a Denial of Service.

https://github.com/VirusTotal/yara/issues/1616

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2051367
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45429
https://github.com/VirusTotal/yara/issues/1616
Comment 1 Robert Frohl 2022-02-07 11:40:43 UTC
the commit (605b2ed) that introduced the problem is only in v4.2.0-rc1, so should not affect openSUSE
Comment 2 Robert Frohl 2022-02-07 11:41:40 UTC
maybe lets leave it open until the fix is added to Factory
Comment 3 Robert Frohl 2022-02-07 12:14:56 UTC
probably wrong maintainer, re-assigning
Comment 4 Dirk Mueller 2022-02-07 12:17:20 UTC
$ osc bugowner -e yara
Defined in package: security:forensics/yara 
  bugowner of yara : 
   Greg.Freemyer@gmail.com
Comment 5 Robert Frohl 2022-02-07 13:20:43 UTC
ok, might have the correct maintainer now
Comment 6 Robert Frohl 2022-02-07 13:21:53 UTC
(In reply to Dirk Mueller from comment #4)
> $ osc bugowner -e yara
> Defined in package: security:forensics/yara 
>   bugowner of yara : 
>    Greg.Freemyer@gmail.com

the query recently broke, we have been waiting for a fix