Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 701846 (CVE-2019-18874)

Summary: <dev-python/psutil-5.6.7: double free because of refcount mishandling (CVE-2019-18874)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mgorny, python
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/giampaolo/psutil/pull/1616
Whiteboard: B2 [noglsa cve]
Package list:
dev-python/psutil-5.6.7
 Runtime testing required: No

Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-03 00:32:26 UTC 
CVE-2019-18874 (https://nvd.nist.gov/vuln/detail/CVE-2019-18874):
  psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs
  because of refcount mishandling within a while or for loop that converts
  system data into a Python object.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-12-03 08:41:56 UTC 
Keywords for dev-python/psutil:
         |                               |   u   |  
         | a a   a     p           s r   |   n   |  
         | l m   r i   p   h m s   p i m | e u s | r
         | p d a m a p c x p 6 3   a s i | a s l | e
         | h 6 r 6 6 p 6 8 p 8 9 s r c p | p e o | p
         | a 4 m 4 4 c 4 6 a k 0 h c v s | i d t | o
---------+-------------------------------+-------+-------
   5.4.8 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ o o | 7 # 0 | gentoo
   5.5.0 | + + + + + + + + ~ o + o + o o | 7 o   | gentoo
   5.6.0 | ~ + + ~ ~ + + + ~ o + o ~ o o | 7 o   | gentoo
[I]5.6.5 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ o o | 7 #   | gentoo
   5.6.7 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ o o | 7 o   | gentoo
Comment 2 Agostino Sarubbo gentoo-dev 2019-12-03 11:41:55 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-03 11:42:41 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-03 11:56:08 UTC 
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-03 12:27:09 UTC 
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-03 12:56:30 UTC 
ia64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-12-04 01:00:51 UTC 
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-09 07:49:37 UTC 
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-10 10:55:08 UTC 
ppc stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:16:46 UTC 
arm stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 21:07:33 UTC 
Tree is clean.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 18:46:30 UTC 
Not releasing a GLSA for this one: To trigger this flaw, an attacker would require privileges to modify network address, manipulate users, network interfaces and/or disk partitions. All if this require super user privileges already.

Repository is clean, all done.