Bug 1210325 (CVE-2023-26917) - VUL-0: CVE-2023-26917: libyang: NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c
Summary: VUL-0: CVE-2023-26917: libyang: NULL pointer dereference via the function lys...
Status: RESOLVED FIXED
Alias: CVE-2023-26917
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/363026/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-26917:6.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-11 15:34 UTC by Alexander Bergmann
Modified: 2024-05-06 11:58 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-04-11 15:34:52 UTC 
CVE-2023-26917

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer
dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26917
https://www.cve.org/CVERecord?id=CVE-2023-26917
https://github.com/CESNET/libyang/issues/1987
Comment 1 Alexander Bergmann 2023-04-11 15:37:36 UTC 
Only SLE-15-SP5 is currently affected.

SUSE:SLE-15-SP3:Update  libyang-1.0.184
SUSE:SLE-15-SP5:Update  libyang-2.0.231
openSUSE:Factory        libyang-2.1.55
Comment 2 Petr Gajdos 2023-04-13 08:57:45 UTC 
(In reply to Alexander Bergmann from comment #1)
> SUSE:SLE-15-SP5:Update  libyang-2.0.231

Valentin already updated libyang in 15sp5 to Factory version (2.1.55).

I believe all fixed.
Comment 3 Petr Gajdos 2023-04-13 09:01:08 UTC 
See also bug 1210072.
Comment 4 Robert Frohl 2024-05-06 11:58:23 UTC 
done, closing