There is a use-after-free in libcomps library in comps_objmradix.c:comps_objmrtree_unite() function. When two ObjMRTrees are merged, pair variable may be freed and accessed again at the next iteration. An attacker who is able to craft a malicious comps XML file may use this flaw to crash the application or potentially execute code.
Name: Riccardo Schirone (Red Hat Product Security)
libcomps library is mainly used by dnf and koji.
ObjMRTree object type is used to implement the MDict type, which is used to store the "blacklist" and the "whiteout" parts of a comps XML file. However, when merging two Doc objects, blacklist and whiteout are not merged, thus code that do not directly use MDict (e.g. dnf and koji) cannot trigger the flaw.
Created libcomps tracking bugs for this issue:
Affects: epel-7 [bug 1668681]
Affects: fedora-all [bug 1668680]
Upstream patch https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046 was merged.
Fixed in libcomps version 0.1.10