Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 791373 (CVE-2021-28902, CVE-2021-28903, CVE-2021-28904, CVE-2021-28905, CVE-2021-28906) - <net-libs/libyang-1.0.236: Multiple vulnerabilities (CVE-2021-{28902,28903,28904,28905,28906})
Summary: <net-libs/libyang-1.0.236: Multiple vulnerabilities (CVE-2021-{28902,28903,28...
Status: RESOLVED FIXED
Alias: CVE-2021-28902, CVE-2021-28903, CVE-2021-28904, CVE-2021-28905, CVE-2021-28906
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-05-22 01:49 UTC by Sam James
Modified: 2021-07-24 03:07 UTC (History)
3 users (show)

See Also:
Package list:
net-libs/libyang-1.0.236
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-05-22 01:49:05 UTC
* CVE-2021-28906

Description:
"In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash."

https://github.com/CESNET/libyang/issues/1455

* CVE-2021-28905

Description:
"In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion (CWE-617)."

https://github.com/CESNET/libyang/issues/1452

* CVE-2021-28904

Description:
"In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. If revision is NULL, the operation of strcmp(revision, ext_plugins[u].revision) will lead to a crash."

https://github.com/CESNET/libyang/issues/1451

* CVE-2021-28903

Description:
"A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash."

https://github.com/CESNET/libyang/issues/1453

* CVE-2021-28902

Description:
"In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash."

https://github.com/CESNET/libyang/issues/1454
Comment 1 Sam James archtester gentoo-dev Security 2021-05-22 01:50:36 UTC
All look fixed(?) upstream, thanks!
Comment 2 Larry the Git Cow gentoo-dev 2021-05-26 12:37:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6491cbd55ee320a821c1f91aa08dda83071e1df

commit a6491cbd55ee320a821c1f91aa08dda83071e1df
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-05-24 13:22:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-26 12:34:56 +0000

    net-libs/libyang: Seurity bump to 1.0.236
    
    * Note that upstream didn't make a proper release,
      but has tagged version 1.0.236 in the commit, so
      let's just fetch the tarball using commit id
    
    Bug: https://bugs.gentoo.org/791373
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Closes: https://github.com/gentoo/gentoo/pull/20966
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/libyang/Manifest               |  1 +
 net-libs/libyang/libyang-1.0.236.ebuild | 46 +++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
Comment 3 Agostino Sarubbo gentoo-dev 2021-05-27 06:55:57 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2021-05-27 06:57:38 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Larry the Git Cow gentoo-dev 2021-05-27 09:46:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd49db32c2ce99b6326819023a0358d7b184dbb5

commit cd49db32c2ce99b6326819023a0358d7b184dbb5
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-05-27 08:15:21 +0000
Commit:     Sergey Popov <pinkbyte@gentoo.org>
CommitDate: 2021-05-27 09:45:17 +0000

    net-libs/libyang: Security cleanup
    
    Closes: https://github.com/gentoo/gentoo/pull/21005
    Bug: https://bugs.gentoo.org/791373
    Signed-off-by: Sergey Popov <pinkbyte@gentoo.org>
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>

 net-libs/libyang/Manifest               |  2 --
 net-libs/libyang/libyang-1.0.215.ebuild | 46 ---------------------------------
 net-libs/libyang/libyang-1.0.225.ebuild | 44 -------------------------------
 3 files changed, 92 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2021-07-24 02:37:42 UTC
GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2021-07-24 03:07:17 UTC
This issue was resolved and addressed in
 GLSA 202107-54 at https://security.gentoo.org/glsa/202107-54
by GLSA coordinator John Helmert III (ajak).