Bug 1668005 (CVE-2019-3817) - CVE-2019-3817 libcomps: use after free when merging two objmrtrees
Summary: CVE-2019-3817 libcomps: use after free when merging two objmrtrees
Keywords:
Status: NEW
Alias: CVE-2019-3817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190121,repor...
Depends On: 1668683 1668684 1668680 1668681
Blocks: 1668006
TreeView+ depends on / blocked
 
Reported: 2019-01-21 16:53 UTC by Riccardo Schirone
Modified: 2019-06-08 23:49 UTC (History)
6 users (show)

Fixed In Version: libcomps 0.1.10
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw has been discovered in libcomps in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Riccardo Schirone 2019-01-21 16:53:44 UTC
There is a use-after-free in libcomps library in comps_objmradix.c:comps_objmrtree_unite() function. When two ObjMRTrees are merged, pair variable may be freed and accessed again at the next iteration. An attacker who is able to craft a malicious comps XML file may use this flaw to crash the application or potentially execute code.

Upstream issue:
https://github.com/rpm-software-management/libcomps/issues/41

Comment 1 Riccardo Schirone 2019-01-21 16:53:46 UTC
Acknowledgments:

Name: Riccardo Schirone (Red Hat Product Security)

Comment 2 Riccardo Schirone 2019-01-21 17:04:50 UTC
libcomps library is mainly used by dnf and koji.

Comment 3 Riccardo Schirone 2019-01-22 09:56:45 UTC
ObjMRTree object type is used to implement the MDict type, which is used to store the "blacklist" and the "whiteout" parts of a comps XML file. However, when merging two Doc objects, blacklist and whiteout are not merged, thus code that do not directly use MDict (e.g. dnf and koji) cannot trigger the flaw.

Comment 6 Riccardo Schirone 2019-01-23 10:30:30 UTC
Created libcomps tracking bugs for this issue:

Affects: epel-7 [bug 1668681]
Affects: fedora-all [bug 1668680]

Comment 9 Jaroslav Rohel 2019-04-04 07:30:10 UTC
Upstream patch https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046 was merged.
Fixed in libcomps version 0.1.10


Note You need to log in before you can comment on or make changes to this bug.