Bug 1122193 – VUL-0: CVE-2018-20721: uriparser: Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6 addresses with embedded IPv4 address

Bug 1122193 - (CVE-2018-20721) VUL-0: CVE-2018-20721: uriparser: Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6 addresses with embedded IPv4 address

(CVE-2018-20721)
Summary:	VUL-0: CVE-2018-20721: uriparser: Out-of-bounds read in uriParseEx for in...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.0
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/223044/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-01-16 13:41 UTC by Karol Babioch
Modified:	2020-01-16 14:05 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2019-01-16 13:41:24 UTC

CVE-2018-20721

Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6 addresses with embedded IPv4 address, e.g. "//[::44.1"; mitigated if passed parameter <afterLast> points to readable memory containing a '\0' byte.

Thanks to Joergen Ibsen for the report!

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20721

Comment 1 Swamp Workflow Management 2019-01-16 14:50:06 UTC

This is an autogenerated message for OBS integration:
This bug (1122193) was mentioned in
https://build.opensuse.org/request/show/666491 Factory / uriparser

Comment 4 Swamp Workflow Management 2019-02-05 14:09:43 UTC

SUSE-SU-2019:0228-1: An update that fixes four vulnerabilities is now available.

Category: security (low)
Bug References: 1115722,1115723,1115724,1122193
CVE References: CVE-2018-19198,CVE-2018-19199,CVE-2018-19200,CVE-2018-20721
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    uriparser-0.8.5-3.5.1

Comment 5 Swamp Workflow Management 2019-02-13 17:17:52 UTC

openSUSE-SU-2019:0165-1: An update that fixes four vulnerabilities is now available.

Category: security (low)
Bug References: 1115722,1115723,1115724,1122193
CVE References: CVE-2018-19198,CVE-2018-19199,CVE-2018-19200,CVE-2018-20721
Sources used:
openSUSE Leap 15.0 (src):    uriparser-0.8.5-lp150.2.3.1

Comment 6 Swamp Workflow Management 2019-02-13 20:13:12 UTC

openSUSE-SU-2019:0171-1: An update that fixes four vulnerabilities is now available.

Category: security (low)
Bug References: 1115722,1115723,1115724,1122193
CVE References: CVE-2018-19198,CVE-2018-19199,CVE-2018-19200,CVE-2018-20721
Sources used:
openSUSE Backports SLE-15 (src):    uriparser-0.8.5-bp150.2.3.1

Comment 7 Alexandros Toptsoglou 2020-01-16 14:05:53 UTC

all done. Closing