903756 – (CVE-2023-26916, CVE-2023-26917) <net-libs/libyang-2.1.55: null pointer dereferences

Bug 903756 (CVE-2023-26916, CVE-2023-26917) - <net-libs/libyang-2.1.55: null pointer dereferences

Summary: <net-libs/libyang-2.1.55: null pointer dereferences

Status:	IN_PROGRESS

Alias:	CVE-2023-26916, CVE-2023-26917

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/CESNET/libyang/iss...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	905111
Blocks:
	Show dependency tree

Reported:	2023-04-04 04:11 UTC by John Helmert III
Modified:	2023-05-08 04:02 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-04-04 04:11:54 UTC

CVE-2023-26916:

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lys_parse_mem at lys_parse_mem.c.

Fixed in 2.1.55, please bump.

Comment 1 Larry the Git Cow gentoo-dev

2023-04-04 08:07:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4286a6222203cc151877c8200a7f5563a2ffec4

commit c4286a6222203cc151877c8200a7f5563a2ffec4
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-04-04 07:53:26 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-04-04 07:59:13 +0000

    net-libs/libyang: add 2.1.55
    
    Bug: https://bugs.gentoo.org/903756
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 net-libs/libyang/Manifest              |  1 +
 net-libs/libyang/libyang-2.1.55.ebuild | 46 ++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

Comment 2 John Helmert III archtester

2023-04-20 04:06:32 UTC

Thanks! Please stabilize 2.1.55 when ready.

Comment 3 John Helmert III archtester

2023-04-26 03:07:40 UTC

CVE-2023-26917 (https://github.com/CESNET/libyang/issues/1987):

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.

Comment 4 Larry the Git Cow gentoo-dev

2023-05-05 06:22:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8e254a5e783e7fd7b70f5b12a3e1e1cb8915ef4

commit a8e254a5e783e7fd7b70f5b12a3e1e1cb8915ef4
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-05-05 06:20:43 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-05-05 06:22:24 +0000

    net-libs/libyang: drop 2.0.194-r1
    
    Bug: https://bugs.gentoo.org/903756
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 net-libs/libyang/Manifest                  |  1 -
 net-libs/libyang/libyang-2.0.194-r1.ebuild | 46 ------------------------------
 2 files changed, 47 deletions(-)

Comment 5 John Helmert III archtester

2023-05-08 04:02:59 UTC

Thanks!