Bug 1665532 (CVE-2018-20532)

Summary: CVE-2018-20532 libsolv: NULL pointer dereference in function testcase_read
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrohel, rschiron
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:20:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1652605, 1665533, 1669562, 1669563    
Bug Blocks: 1665540    

Description Laura Pardo 2019-01-11 16:49:59 UTC 
A vulnerability was found in libsolv through 0.7.2. There is a NULL pointer dereference at ext/testcase.c (function testcase_read) in libsolvext.a that will cause a denial of service.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1652605

Upstream Patch:
https://github.com/openSUSE/libsolv/pull/291
Comment 1 Laura Pardo 2019-01-11 16:50:13 UTC 
Created libsolv tracking bugs for this issue:

Affects: fedora-all [bug 1665533]
Comment 2 Riccardo Schirone 2019-01-25 16:30:58 UTC 
Function testcase_read() read a testcase from a file, however when the file is malformed and it contains a "namespace" entry, a typo in an error check condition in the code makes the program continue with the malformed input, crashing shortly after the check because it tries to access a pointer to NULL.
Comment 4 Riccardo Schirone 2019-01-25 16:44:46 UTC 
On Red Hat Enterprise Linux the testsolv program is not shipped with any package, thus the flaw cannot be easily triggered, unless an existing program uses the vulnerable function testcase_read().
Comment 8 errata-xmlrpc 2019-08-06 12:37:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2290 https://access.redhat.com/errata/RHSA-2019:2290
Comment 9 Product Security DevOps Team 2019-08-06 19:20:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20532