Bug 1668005 (CVE-2019-3817) - CVE-2019-3817 libcomps: use after free when merging two objmrtrees
Summary: CVE-2019-3817 libcomps: use after free when merging two objmrtrees
Alias: CVE-2019-3817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1668680 1668681 1668683 1668684
Blocks: 1668006
TreeView+ depends on / blocked
Reported: 2019-01-21 16:53 UTC by Riccardo Schirone
Modified: 2021-02-16 22:30 UTC (History)
6 users (show)

Fixed In Version: libcomps 0.1.10
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw has been discovered in libcomps in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.
Clone Of:
Last Closed: 2019-11-06 00:51:52 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3583 0 None None None 2019-11-05 21:15:04 UTC
Red Hat Product Errata RHSA-2019:3898 0 None None None 2019-11-18 13:02:54 UTC

Description Riccardo Schirone 2019-01-21 16:53:44 UTC
There is a use-after-free in libcomps library in comps_objmradix.c:comps_objmrtree_unite() function. When two ObjMRTrees are merged, pair variable may be freed and accessed again at the next iteration. An attacker who is able to craft a malicious comps XML file may use this flaw to crash the application or potentially execute code.

Upstream issue:

Comment 1 Riccardo Schirone 2019-01-21 16:53:46 UTC

Name: Riccardo Schirone (Red Hat Product Security)

Comment 2 Riccardo Schirone 2019-01-21 17:04:50 UTC
libcomps library is mainly used by dnf and koji.

Comment 3 Riccardo Schirone 2019-01-22 09:56:45 UTC
ObjMRTree object type is used to implement the MDict type, which is used to store the "blacklist" and the "whiteout" parts of a comps XML file. However, when merging two Doc objects, blacklist and whiteout are not merged, thus code that do not directly use MDict (e.g. dnf and koji) cannot trigger the flaw.

Comment 6 Riccardo Schirone 2019-01-23 10:30:30 UTC
Created libcomps tracking bugs for this issue:

Affects: epel-7 [bug 1668681]
Affects: fedora-all [bug 1668680]

Comment 9 Jaroslav Rohel 2019-04-04 07:30:10 UTC
Upstream patch https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046 was merged.
Fixed in libcomps version 0.1.10

Comment 10 errata-xmlrpc 2019-11-05 21:15:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3583 https://access.redhat.com/errata/RHSA-2019:3583

Comment 11 Product Security DevOps Team 2019-11-06 00:51:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 12 errata-xmlrpc 2019-11-18 13:02:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:3898 https://access.redhat.com/errata/RHSA-2019:3898

Note You need to log in before you can comment on or make changes to this bug.