Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service Reference: https://github.com/openSUSE/libsolv/issues/416
Created libsolv tracking bugs for this issue: Affects: fedora-all [bug 1962308]
Upstream fix: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec
Analysis is complete for Ansible Automation Platform and it was found that the vulnerable library is being used by Pulp Core component of AAP 1.2 as shown below: manifest.txt:ansible_automation_platform:1.2::el7/libsolv-0.7.12-2.el7pc manifest.txt:ansible_automation_platform:1.2::el8/libsolv-0:0.7.12-2.el8pc However, this is an indirect dependency which gets pulled up in all the stacks while installing Automation Hub. That means, Pulp core is just relying on a package which rely on libsolv Lib. Hence, the ansible component i.e. pulp core is not directly impacted by this vulnerability. Moreover, as the vulnerable function i.e. testcase_read() is being used in in Test systems only, not anywhere in Production environment. Hence, changing the severity to "Low" for Ansible.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4408 https://access.redhat.com/errata/RHSA-2021:4408
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498