Описание
Security update for libsolv
This update for libsolv fixes the following issues:
Security issues fixed:
- CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
- CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)
Other issues fixed:
- backport support for blacklisted packages to support ptf packages and retracted patches
- fix ruleinfo of complex dependencies returning the wrong origin
- fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
- fix add_complex_recommends() selecting conflicted packages in rare cases
- fix potential segfault in resolve_jobrules
- fix solv_zchunk decoding error if large chunks are used
Список пакетов
SUSE Linux Enterprise Server 12 SP2-BCL
libsolv-devel-0.6.37-2.27.24.1
libsolv-tools-0.6.37-2.27.24.1
libzypp-16.21.4-27.75.1
libzypp-devel-16.21.4-27.75.1
perl-solv-0.6.37-2.27.24.1
python-solv-0.6.37-2.27.24.1
Ссылки
- Link for SUSE-SU-2021:2145-1
- E-Mail link for SUSE-SU-2021:2145-1
- SUSE Security Ratings
- SUSE Bug 1161510
- SUSE Bug 1186229
- SUSE CVE CVE-2019-20387 page
- SUSE CVE CVE-2021-3200 page
Описание
repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP2-BCL:libsolv-devel-0.6.37-2.27.24.1
SUSE Linux Enterprise Server 12 SP2-BCL:libsolv-tools-0.6.37-2.27.24.1
SUSE Linux Enterprise Server 12 SP2-BCL:libzypp-16.21.4-27.75.1
SUSE Linux Enterprise Server 12 SP2-BCL:libzypp-devel-16.21.4-27.75.1
Ссылки
- CVE-2019-20387
- SUSE Bug 1161510
Описание
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
Затронутые продукты
SUSE Linux Enterprise Server 12 SP2-BCL:libsolv-devel-0.6.37-2.27.24.1
SUSE Linux Enterprise Server 12 SP2-BCL:libsolv-tools-0.6.37-2.27.24.1
SUSE Linux Enterprise Server 12 SP2-BCL:libzypp-16.21.4-27.75.1
SUSE Linux Enterprise Server 12 SP2-BCL:libzypp-devel-16.21.4-27.75.1
Ссылки
- CVE-2021-3200
- SUSE Bug 1186229