Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701846 (CVE-2019-18874) - <dev-python/psutil-5.6.7: double free because of refcount mishandling (CVE-2019-18874)
Summary: <dev-python/psutil-5.6.7: double free because of refcount mishandling (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2019-18874
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/giampaolo/psutil/p...
Whiteboard: B2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-03 00:32 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-19 18:46 UTC (History)
2 users (show)

See Also:
Package list:
dev-python/psutil-5.6.7
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-03 00:32:26 UTC
CVE-2019-18874 (https://nvd.nist.gov/vuln/detail/CVE-2019-18874):
  psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs
  because of refcount mishandling within a while or for loop that converts
  system data into a Python object.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-12-03 08:41:56 UTC
Keywords for dev-python/psutil:
         |                               |   u   |  
         | a a   a     p           s r   |   n   |  
         | l m   r i   p   h m s   p i m | e u s | r
         | p d a m a p c x p 6 3   a s i | a s l | e
         | h 6 r 6 6 p 6 8 p 8 9 s r c p | p e o | p
         | a 4 m 4 4 c 4 6 a k 0 h c v s | i d t | o
---------+-------------------------------+-------+-------
   5.4.8 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ o o | 7 # 0 | gentoo
   5.5.0 | + + + + + + + + ~ o + o + o o | 7 o   | gentoo
   5.6.0 | ~ + + ~ ~ + + + ~ o + o ~ o o | 7 o   | gentoo
[I]5.6.5 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ o o | 7 #   | gentoo
   5.6.7 | ~ ~ ~ ~ ~ ~ ~ ~ ~ o ~ o ~ o o | 7 o   | gentoo
Comment 2 Agostino Sarubbo gentoo-dev 2019-12-03 11:41:55 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2019-12-03 11:42:41 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-12-03 11:56:08 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-03 12:27:09 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-03 12:56:30 UTC
ia64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2019-12-04 01:00:51 UTC
arm64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-09 07:49:37 UTC
s390 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-12-10 10:55:08 UTC
ppc stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:16:46 UTC
arm stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 21:07:33 UTC
Tree is clean.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 18:46:30 UTC
Not releasing a GLSA for this one: To trigger this flaw, an attacker would require privileges to modify network address, manipulate users, network interfaces and/or disk partitions. All if this require super user privileges already.

Repository is clean, all done.