Bug 2189103 (CVE-2021-46878)

Summary: CVE-2021-46878 fluent-bit: type confusion causing use-after-free in flb_pack_msgpack_to_json_format
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
The package fluent-bit is vulnerable to a Use After Free due to erroneous parsing in the flb_pack_msgpack_to_json_format() function, which leads to type confusion.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-24 13:15:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2189104, 2189105    
Bug Blocks: 2186018    

Description Anten Skrabec 2023-04-24 08:35:25 UTC 
An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. This can be used by an attacker to craft a specially craft file and trick the victim opening it using the affect software, triggering use-after-free and execute arbitrary code on the target system.
Comment 1 Anten Skrabec 2023-04-24 08:35:40 UTC 
Created fluent-bit tracking bugs for this issue:

Affects: epel-8 [bug 2189105]
Affects: fedora-all [bug 2189104]
Comment 2 Product Security DevOps Team 2023-04-24 13:15:03 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.