Bug 1962307 (CVE-2021-3200)

Summary: CVE-2021-3200 libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bbuckingham, bcoca, bcourt, bkearney, btotty, chousekn, cmeyers, davidn, gblomqui, hhudgeon, igor.raits, jcammara, jhardy, jmracek, jobarker, jrohel, kaycoth, lzap, mabashia, mcermak, mmccune, ngompa13, nmoumoul, osapryki, packaging-team-maint, pcreech, pkratoch, rchan, relrod, rjerrido, rpetrell, rpm-software-management, sdoran, smcdonal, sokeeffe, tkuratom, vmugicag, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libsolv 0.7.17 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libsolv. A buffer overflow vulnerability could cause a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 23:32:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1973712, 1962308, 1966716, 1968516    
Bug Blocks: 1962309    

Description Guilherme de Almeida Suckevicz 2021-05-19 17:41:36 UTC 
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service

Reference:
https://github.com/openSUSE/libsolv/issues/416
Comment 1 Guilherme de Almeida Suckevicz 2021-05-19 17:42:22 UTC 
Created libsolv tracking bugs for this issue:

Affects: fedora-all [bug 1962308]
Comment 2 Yadnyawalk Tale 2021-05-24 18:01:41 UTC 
Upstream fix:
https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec
Comment 6 Tapas Jena 2021-06-18 14:22:26 UTC 
Analysis is complete for Ansible Automation Platform and it was found that the vulnerable library is being used by Pulp Core component of AAP 1.2 as shown below:
manifest.txt:ansible_automation_platform:1.2::el7/libsolv-0.7.12-2.el7pc
manifest.txt:ansible_automation_platform:1.2::el8/libsolv-0:0.7.12-2.el8pc

However, this is an indirect dependency which gets pulled up in all the stacks while installing Automation Hub. That means, Pulp core is just relying on a package which rely on libsolv Lib. Hence, the ansible component i.e. pulp core is not directly impacted by this vulnerability. Moreover, as the vulnerable function i.e. testcase_read() is being used in in Test systems only, not anywhere in Production environment. Hence, changing the severity to "Low" for Ansible.
Comment 10 errata-xmlrpc 2021-11-09 18:40:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4408 https://access.redhat.com/errata/RHSA-2021:4408
Comment 11 errata-xmlrpc 2022-07-05 14:26:31 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498