1156525 – (CVE-2019-18874) VUL-1: CVE-2019-18874: python-psutil: refcount mishandling within a while or for loop that converts system data into a Python object can lead to a double free

Bug 1156525 (CVE-2019-18874) - VUL-1: CVE-2019-18874: python-psutil: refcount mishandling within a while or for loop that converts system data into a Python object can lead to a double free

Summary: VUL-1: CVE-2019-18874: python-psutil: refcount mishandling within a while or ...

Status:	RESOLVED FIXED

Alias:	CVE-2019-18874

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/246881/
Whiteboard:	CVSSv3.1:SUSE:CVE-2019-18874:4.0:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-11-12 10:43 UTC by Wolfgang Frisch
Modified:	2024-05-06 11:57 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
python-psutil-CVE-2019-18874.patch (20.97 KB, patch) 2019-11-12 10:45 UTC, Wolfgang Frisch	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2019-11-12 10:43:39 UTC

CVE-2019-18874

psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs
because of refcount mishandling within a while or for loop that converts system
data into a Python object.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18874
https://github.com/giampaolo/psutil/pull/1616

Comment 1 Wolfgang Frisch 2019-11-12 10:45:43 UTC

Created attachment 823919 [details]
python-psutil-CVE-2019-18874.patch

upstream patch

Comment 3 Dirk Mueller 2019-11-12 15:16:03 UTC

I did so for OBS / C:O:Rocky and SUSE:SLE-12-SP4:Update:Products:Cloud9:Update . however for the older versions the patch doesn't apply, and I don't have time to look at this in detail. 

I'll try to find a package maintainer because I'm not actually with the cloud group anymore.

Comment 5 Swamp Workflow Management 2019-11-26 17:11:44 UTC

SUSE-SU-2019:3068-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1153304,1155942,1156525
CVE References: CVE-2019-17134,CVE-2019-18874
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-core-6.0+git.1573825081.b1caf60f1-3.16.1, crowbar-openstack-6.0+git.1573754820.dd036ef77-3.16.1, crowbar-ui-1.3.0+git.1572871359.50fc6087-14.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1
SUSE OpenStack Cloud 9 (src):    ardana-db-9.0+git.1572311426.a6dc2fd-3.13.1, ardana-keystone-9.0+git.1573069087.15ffd1c-3.13.1, ardana-neutron-9.0+git.1572019823.6650494-3.16.1, ardana-nova-9.0+git.1572618171.4460843-3.13.1, openstack-barbican-7.0.1~dev21-3.3.1, openstack-heat-templates-0.0.0+git.1553459627.948e8cc-3.3.1, openstack-keystone-14.1.1~dev28-3.16.1, openstack-neutron-13.0.6~dev8-3.16.2, openstack-neutron-gbp-5.0.1~dev476-3.13.1, openstack-neutron-lbaas-13.0.1~dev16-3.13.1, openstack-nova-18.2.4~dev22-3.16.2, openstack-octavia-3.2.1~dev3-3.16.1, openstack-sahara-9.0.2~dev14-3.6.1, python-psutil-5.4.6-3.3.1, release-notes-suse-openstack-cloud-9.20191025-3.15.1, venv-openstack-barbican-7.0.1~dev21-3.13.1, venv-openstack-cinder-13.0.8~dev8-3.13.1, venv-openstack-designate-7.0.1~dev22-3.13.1, venv-openstack-heat-11.0.3~dev23-3.13.1, venv-openstack-keystone-14.1.1~dev28-3.13.1, venv-openstack-magnum-7.1.1~dev28-4.13.1, venv-openstack-manila-7.3.1~dev15-3.13.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.13.1, venv-openstack-neutron-13.0.6~dev8-6.13.1, venv-openstack-nova-18.2.4~dev22-3.13.1, venv-openstack-octavia-3.2.1~dev3-4.13.1, venv-openstack-sahara-9.0.2~dev14-3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Nanuk Krinner 2019-12-05 17:24:40 UTC

Fix merged in the OBS project for Pike (SOC8):
https://build.opensuse.org/request/show/754316
and Newton (SOC7):
https://build.opensuse.org/request/show/754347
and on their way through the CI to the released product.

Comment 7 Keith Berger 2020-06-05 15:26:08 UTC

patches are in IBS now, please close when appropriate

https://build.suse.de/package/show/Devel:Cloud:7:Staging/python-psutil
https://build.suse.de/package/show/Devel:Cloud:8:Staging/python-psutil

Comment 8 Marcus Meissner 2020-06-17 17:58:28 UTC

we close after releasing

Comment 14 Swamp Workflow Management 2020-07-14 16:15:19 UTC

SUSE-SU-2020:1901-1: An update that solves 23 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1068612,1092420,1107190,1108719,1123872,1126503,1141968,11483483,1148383,1153191,1156525,1159046,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161670,1164322,1167244,1168593,1169770,1170657,1171273,1171560,1171594,1171661,1171909,1172166,1172167,1172175,1172176,1172409
CVE References: CVE-2017-1000246,CVE-2019-1010083,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19911,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.4.6.0-3.9.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, crowbar-core-5.0+git.1593156248.55bbdb26d-3.41.2, crowbar-openstack-5.0+git.1593085772.64c4ab43c-4.40.2, documentation-suse-openstack-cloud-deployment-8.20200527-1.26.1, documentation-suse-openstack-cloud-supplement-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-admin-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-3.12.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-3.9.1, storm-1.1.3-3.3.1
SUSE OpenStack Cloud 8 (src):    ansible-2.4.6.0-3.9.1, ansible1-1.9.6-7.3.1, ardana-ansible-8.0+git.1589740980.6c3bcdc-3.73.1, ardana-cluster-8.0+git.1585685203.3e71e49-3.36.1, ardana-freezer-8.0+git.1586539529.b7d295f-3.21.1, ardana-input-model-8.0+git.1589740934.0e0ad61-3.39.1, ardana-logging-8.0+git.1591194866.b7375d0-3.24.1, ardana-mq-8.0+git.1589715269.62ad6df-3.22.1, ardana-neutron-8.0+git.1590756744.ba84abc-3.42.1, ardana-octavia-8.0+git.1590100427.cf4cc8f-3.29.1, ardana-osconfig-8.0+git.1587034587.eac37b8-3.45.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, documentation-suse-openstack-cloud-installation-8.20200527-1.26.1, documentation-suse-openstack-cloud-operations-8.20200527-1.26.1, documentation-suse-openstack-cloud-opsconsole-8.20200527-1.26.1, documentation-suse-openstack-cloud-planning-8.20200527-1.26.1, documentation-suse-openstack-cloud-security-8.20200527-1.26.1, documentation-suse-openstack-cloud-supplement-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-admin-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-user-8.20200527-1.26.1, documentation-suse-openstack-cloud-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-GitPython-2.1.8-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, storm-1.1.3-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.26.2, venv-openstack-barbican-5.0.2~dev3-12.27.2, venv-openstack-ceilometer-9.0.8~dev7-12.24.2, venv-openstack-cinder-11.2.3~dev23-14.27.2, venv-openstack-designate-5.0.3~dev7-12.25.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.22.1, venv-openstack-glance-15.0.3~dev3-12.25.1, venv-openstack-heat-9.0.8~dev22-12.27.1, venv-openstack-horizon-12.0.5~dev3-14.30.1, venv-openstack-ironic-9.1.8~dev8-12.27.2, venv-openstack-keystone-12.0.4~dev11-11.28.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.26.2, venv-openstack-manila-5.1.1~dev5-12.31.2, venv-openstack-monasca-2.2.2~dev1-11.22.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.22.2, venv-openstack-murano-4.0.2~dev2-12.22.1, venv-openstack-neutron-11.0.9~dev65-13.30.2, venv-openstack-nova-16.1.9~dev61-11.28.2, venv-openstack-octavia-1.0.6~dev3-12.27.2, venv-openstack-sahara-7.0.5~dev4-11.26.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.18.1, venv-openstack-trove-8.0.2~dev2-11.26.1
HPE Helion Openstack 8 (src):    ansible-2.4.6.0-3.9.1, ansible1-1.9.6-7.3.1, ardana-ansible-8.0+git.1589740980.6c3bcdc-3.73.1, ardana-cluster-8.0+git.1585685203.3e71e49-3.36.1, ardana-freezer-8.0+git.1586539529.b7d295f-3.21.1, ardana-input-model-8.0+git.1589740934.0e0ad61-3.39.1, ardana-logging-8.0+git.1591194866.b7375d0-3.24.1, ardana-mq-8.0+git.1589715269.62ad6df-3.22.1, ardana-neutron-8.0+git.1590756744.ba84abc-3.42.1, ardana-octavia-8.0+git.1590100427.cf4cc8f-3.29.1, ardana-osconfig-8.0+git.1587034587.eac37b8-3.45.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, documentation-hpe-helion-openstack-installation-8.20200527-1.26.1, documentation-hpe-helion-openstack-operations-8.20200527-1.26.1, documentation-hpe-helion-openstack-opsconsole-8.20200527-1.26.1, documentation-hpe-helion-openstack-planning-8.20200527-1.26.1, documentation-hpe-helion-openstack-security-8.20200527-1.26.1, documentation-hpe-helion-openstack-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-dashboard-theme-HPE-8+git.1523473653.6599ec8-3.3.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-GitPython-2.1.8-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, storm-1.1.3-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.26.2, venv-openstack-barbican-5.0.2~dev3-12.27.2, venv-openstack-ceilometer-9.0.8~dev7-12.24.2, venv-openstack-cinder-11.2.3~dev23-14.27.2, venv-openstack-designate-5.0.3~dev7-12.25.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.22.1, venv-openstack-glance-15.0.3~dev3-12.25.1, venv-openstack-heat-9.0.8~dev22-12.27.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.30.1, venv-openstack-ironic-9.1.8~dev8-12.27.2, venv-openstack-keystone-12.0.4~dev11-11.28.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.26.2, venv-openstack-manila-5.1.1~dev5-12.31.2, venv-openstack-monasca-2.2.2~dev1-11.22.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.22.2, venv-openstack-murano-4.0.2~dev2-12.22.1, venv-openstack-neutron-11.0.9~dev65-13.30.2, venv-openstack-nova-16.1.9~dev61-11.28.2, venv-openstack-octavia-1.0.6~dev3-12.27.2, venv-openstack-sahara-7.0.5~dev4-11.26.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.18.1, venv-openstack-trove-8.0.2~dev2-11.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2020-07-29 19:14:30 UTC

SUSE-RU-2020:2072-1: An update that solves 31 vulnerabilities and has 8 fixes is now available.

Category: recommended (low)
Bug References: 1037777,1068612,1069468,1070737,1077718,1083903,1111657,1126503,1133817,1135773,1138748,1148383,1149110,1149535,1153191,1156525,1159447,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161349,1161670,1164316,1165402,1167244,1170657,1171560,1171909,1172166,1172167,1172175,1172176,1172409,948198,981848
CVE References: CVE-2017-1000246,CVE-2017-4965,CVE-2017-4967,CVE-2018-1000115,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19844,CVE-2019-19911,CVE-2019-3498,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5247,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
JIRA References: ECO-1256,SOC-10357,SOC-11067,SOC-11077,SOC-11079,SOC-11082,SOC-11122,SOC-11174,SOC-11187,SOC-11224,SOC-11238,SOC-11243,SOC-11248,SOC-11251,SOC-11286,SOC-9298,SOC-9801
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-12.2, crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5, crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4, crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4, grafana-4.6.5-1.14.1, keepalived-2.0.19-1.8.1, kibana-4.6.3-5.1, memcached-1.5.17-3.6.1, monasca-installer-20180608_12.47-12.1, openstack-dashboard-theme-SUSE-2016.2-5.12.4, openstack-manila-3.0.1~dev30-4.12.2, openstack-manila-doc-3.0.1~dev30-4.12.3, openstack-neutron-fwaas-9.0.2~dev5-4.9.3, openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4, openstack-nova-14.0.11~dev13-4.40.2, openstack-nova-doc-14.0.11~dev13-4.40.2, openstack-tempest-12.2.1~a0~dev177-4.9.1, python-Django-1.8.19-3.23.1, python-Pillow-2.8.1-4.12.1, python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1, python-psutil-1.2.1-21.1, python-py-1.8.1-11.12.1, python-pysaml2-4.0.2-3.17.1, python-waitress-1.4.3-3.3.1, rabbitmq-server-3.4.4-3.16.1, release-notes-suse-openstack-cloud-7.20180803-3.18.3, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-7.20.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.10-6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Thomas Leroy 2024-05-06 11:57:50 UTC

All done, closing.