Bug 1198809 - (CVE-2022-1427) VUL-0: CVE-2022-1427: mruby: Out-of-bounds Read in mrb_obj_is_kind_of
(CVE-2022-1427)
VUL-0: CVE-2022-1427: mruby: Out-of-bounds Read in mrb_obj_is_kind_of
Status: RESOLVED WORKSFORME
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Ferdinand Thiessen
Security Team bot
https://smash.suse.de/issue/329965/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-25 08:28 UTC by Hu
Modified: 2022-04-26 19:20 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-04-25 08:28:47 UTC
CVE-2022-1427

Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository mruby/mruby
prior to 3.2. # Impact: Possible arbitrary code execution if being exploited.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1427
https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b
http://www.cvedetails.com/cve/CVE-2022-1427/
https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301
Comment 1 Hu 2022-04-25 08:28:59 UTC
Affected:
- openSUSE:Factory/mruby 3.0.0
Comment 2 Ferdinand Thiessen 2022-04-26 19:20:16 UTC
Could not reproduce, POC does not work for Factory.
Probably not affected (most reported CVEs are only affecting the git version):

> % mruby POC
> trace (most recent call last):
>         [2] ./d.m:1
>         [1] ./d.m:3:in initialize
> ./POC:3:in instance_exec: super called outside of method (NoMethodError)