1668005 – (CVE-2019-3817) CVE-2019-3817 libcomps: use after free when merging two objmrtrees

Bug 1668005 (CVE-2019-3817) - CVE-2019-3817 libcomps: use after free when merging two objmrtrees

Summary: CVE-2019-3817 libcomps: use after free when merging two objmrtrees

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3817
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1668680 1668681 1668683 1668684
Blocks:	1668006
TreeView+	depends on / blocked

Reported:	2019-01-21 16:53 UTC by Riccardo Schirone
Modified:	2021-02-16 22:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libcomps 0.1.10
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw has been discovered in libcomps in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.
Clone Of:
Environment:
Last Closed:	2019-11-06 00:51:52 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:3583	0	None	None	None	2019-11-05 21:15:04 UTC
Red Hat Product Errata	RHSA-2019:3898	0	None	None	None	2019-11-18 13:02:54 UTC

Description Riccardo Schirone 2019-01-21 16:53:44 UTC

There is a use-after-free in libcomps library in comps_objmradix.c:comps_objmrtree_unite() function. When two ObjMRTrees are merged, pair variable may be freed and accessed again at the next iteration. An attacker who is able to craft a malicious comps XML file may use this flaw to crash the application or potentially execute code.

Upstream issue:
https://github.com/rpm-software-management/libcomps/issues/41

Comment 1 Riccardo Schirone 2019-01-21 16:53:46 UTC

Acknowledgments:

Name: Riccardo Schirone (Red Hat Product Security)

Comment 2 Riccardo Schirone 2019-01-21 17:04:50 UTC

libcomps library is mainly used by dnf and koji.

Comment 3 Riccardo Schirone 2019-01-22 09:56:45 UTC

ObjMRTree object type is used to implement the MDict type, which is used to store the "blacklist" and the "whiteout" parts of a comps XML file. However, when merging two Doc objects, blacklist and whiteout are not merged, thus code that do not directly use MDict (e.g. dnf and koji) cannot trigger the flaw.

Comment 4 Riccardo Schirone 2019-01-22 11:58:55 UTC

Upstream patch:
https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046

Comment 6 Riccardo Schirone 2019-01-23 10:30:30 UTC

Created libcomps tracking bugs for this issue:

Affects: epel-7 [bug 1668681]
Affects: fedora-all [bug 1668680]

Comment 9 Jaroslav Rohel 2019-04-04 07:30:10 UTC

Upstream patch https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046 was merged.
Fixed in libcomps version 0.1.10

Comment 10 errata-xmlrpc 2019-11-05 21:15:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3583 https://access.redhat.com/errata/RHSA-2019:3583

Comment 11 Product Security DevOps Team 2019-11-06 00:51:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3817

Comment 12 errata-xmlrpc 2019-11-18 13:02:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:3898 https://access.redhat.com/errata/RHSA-2019:3898

Note You need to log in before you can comment on or make changes to this bug.