1186377 – (CVE-2021-28905) VUL-0: CVE-2021-28905: libyang: In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL, which could lead to a DoS

Bug 1186377 (CVE-2021-28905) - VUL-0: CVE-2021-28905: libyang: In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL, which could lead to a DoS

Summary: VUL-0: CVE-2021-28905: libyang: In function lys_node_free() in libyang <= v1....

Status:	RESOLVED FIXED

Alias:	CVE-2021-28905

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Martin Hauke
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/298852/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-28905:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-05-24 09:03 UTC by Gianluca Gabrielli
Modified:	2024-05-23 09:45 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-05-24 09:03:58 UTC

CVE-2021-28905

In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of
node->module can't be NULL. But in some cases, node->module can be null, which
triggers a reachable assertion (CWE-617).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-28905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28905
https://github.com/CESNET/libyang/issues/1452

Comment 1 Gianluca Gabrielli 2021-05-24 09:04:13 UTC

Affected packages:

 - SUSE:SLE-15-SP3:Update/libyang  1.0.184
 - openSUSE:Factory/libyang        1.0.184

Upstream patch [0].

[0] https://github.com/CESNET/libyang/commit/5ce30801f9ccc372bbe9b7c98bb5324b15fb010a.patch

Comment 2 Gianluca Gabrielli 2022-08-05 09:55:28 UTC

Hi coldpool, could you take care of this?

Comment 3 Petr Gajdos 2022-08-23 07:26:35 UTC

Submitted for 15sp3/libyang.

Reassigning to openSUSE maintainer: I think this CVE is either fixed or not applicable for 2.x branch. Could you please help us by making this clear in *.changes file?

Comment 5 Swamp Workflow Management 2022-08-26 19:16:38 UTC

SUSE-SU-2022:2922-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1186377
CVE References: CVE-2021-28905
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    libyang-1.0.184-150300.3.3.1
openSUSE Leap 15.3 (src):    libyang-1.0.184-150300.3.3.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    libyang-1.0.184-150300.3.3.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    libyang-1.0.184-150300.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Alexander Bergmann 2024-05-23 09:45:19 UTC

Closing bug as resolved.