Bug 1853242 (CVE-2019-2708)

Summary: CVE-2019-2708 libdb: Denial of service in the Data Store component
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aboyko, aileenc, asoldano, atangrin, bbaranow, besser82, bmaxwell, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, databases-maint, davdunc, dkreling, dosoudil, esammons, gvarsami, gzaronik, hhorak, iweiss, jawilson, jclere, jcoleman, jnovy, jochrist, jperkins, jross, jwon, kconner, krathod, kwills, ldimaggi, lgao, mbabacek, mcressma, mmuzila, msochure, msvehla, myarboro, nwallace, pjindal, pkubat, pmackay, psotirop, rguimara, rrajasek, rstancel, rsvoboda, rwagner, smaestri, tcunning, tkirby, tom.jenkinson, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:34:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1853243, 1853244, 1853258, 1856236, 1856237, 1859285    
Bug Blocks: 1853246    
Attachments:
Description Flags
Patch between db-18.1.40 and db-18.1.32 none

Description msiddiqu 2020-07-02 08:57:46 UTC 
Vulnerability in the Data Store component of Oracle Berkeley DB. Supported versions that are affected are Prior to 6.138, prior to 6.2.38 and prior to 18.1.32. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Data Store executes to compromise Data Store. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Data Store

References:

http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Comment 1 msiddiqu 2020-07-02 08:58:40 UTC 
Created libdb tracking bugs for this issue:

Affects: fedora-all [bug 1853243]


Created libdb4 tracking bugs for this issue:

Affects: fedora-all [bug 1853244]
Comment 2 msiddiqu 2020-07-02 09:35:18 UTC 
Created libdb4 tracking bugs for this issue:

Affects: epel-7 [bug 1853258]
Comment 3 Huzaifa S. Sidhpurwala 2020-07-13 06:29:53 UTC 
Created attachment 1700770 [details]
Patch between db-18.1.40 and db-18.1.32

This is the patch between db-18.1.40 and db-18.1.32
Comment 4 Huzaifa S. Sidhpurwala 2020-07-13 06:30:45 UTC 
https://bugzilla.redhat.com/attachment.cgi?id=1700770&action=diff is as per oracle addresses the following:



Fixed several possible crashes when running db_verify on a corrupted database. [#27864]

Fixed several possible hangs when running db_verify on a corrupted database. [#27864]

Added a warning message when attempting to verify a queue database which has many extent files. Verification will take a long time if there are many extent files. [#27864]
Comment 8 errata-xmlrpc 2021-05-18 14:12:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1675 https://access.redhat.com/errata/RHSA-2021:1675
Comment 9 Product Security DevOps Team 2021-05-18 14:34:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-2708