psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object. Reference: https://github.com/giampaolo/psutil/pull/1616
Created python-psutil tracking bugs for this issue: Affects: epel-all [bug 1772016] Affects: fedora-all [bug 1772015]
Created python-psutil tracking bugs for this issue: Affects: openstack-rdo [bug 1772020]
Upstream fixes: https://github.com/giampaolo/psutil/commit/7d512c8e4442a896d56505be3e78f1156f443465 https://github.com/giampaolo/psutil/commit/3a9bccfd2c6d2e6538298cd3892058b1204056e0
Acknowledgments: Name: Riccardo Schirone (Red Hat)
Most of the functions in psutil/_psutil_*.c contain loops that convert system data into python objects and during the process they create python objects and decrement their refcounts after they have been added to the result list, at the end of the loop. In case of errors during the conversion of one of those objects, variables pointing to those python objects have their refcounts decremented, to ensure that objects do not leak memory on the error path. However, after the first iteration variables may still point to already freed python objects and if an attacker is able to make the parsing of such objects fail, it is possible to decrement the refcount two times thus causing a double-free issue. This could be used by a local attacker to get code execution with the privileges of the user running the python-psutil application.
No upstream release yet with the fix mentioned in comment 3.
Affected functions in psutil/_psutil_linux.c and psutil/_psutil_posix.c are psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs(). The last two can hardly be manipulated by an attacker as they list the users and the network interfaces on a system, while the first could be manipulated by a user who can mount filesystems (e.g. with FUSE).
Attack Vector (AV) of CVSSv3 set to Local as affected functions for linux are just psutil_disk_partitions(), psutil_users(), psutil_net_if_addrs() and they would require a user to manipulate users, network interface and/or disk partitions to try to trigger the flaw.
Clarification regarding the case of the Satellite 6 product : the affected component runs on the clients using Satellite-Tools and being registered against a Satellite. The Satellite server itself does not ship python-psutil.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2583 https://access.redhat.com/errata/RHSA-2020:2583
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18874
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:2635 https://access.redhat.com/errata/RHSA-2020:2635
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2593 https://access.redhat.com/errata/RHSA-2020:2593
This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2020:4254 https://access.redhat.com/errata/RHSA-2020:4254
This issue has been addressed in the following products: Red Hat Ansible Tower 3.6 for RHEL 7 Via RHSA-2020:4255 https://access.redhat.com/errata/RHSA-2020:4255
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4299 https://access.redhat.com/errata/RHSA-2020:4299
This issue has been addressed in the following products: Red Hat Satellite 6.8 for RHEL 7 Via RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4324 https://access.redhat.com/errata/RHSA-2021:4324