SUSE Package Hub - openSUSE-2019-171

Update Info

openSUSE-2019-171

Security update for uriparser

Type: security

Severity: low

Issued: 2019-02-13

Description:

This update for uriparser fixes the following issues:

Security issues fixed:

- CVE-2018-20721: Fixed an out-of-bounds read for incomplete URIs with IPv6 addresses with embedded IPv4 address (bsc#1122193).
- CVE-2018-19198: Fixed an out-of-bounds write that was possible via the uriComposeQuery* or uriComposeQueryEx* function (bsc#1115722).
- CVE-2018-19199: Fixed an integer overflow caused by an unchecked multiplication via the uriComposeQuery* or uriComposeQueryEx* function (bsc#1115723).
- CVE-2018-19200: Fixed a operation attempted on NULL input via a uriResetUri* function (bsc#1115724).

This update was imported from the SUSE:SLE-15:Update update project.
This update was imported from the openSUSE:Leap:15.0:Update update project.

References

CVE: CVE-2018-20721
CVE: CVE-2018-19200
CVE: CVE-2018-19199
CVE: CVE-2018-19198
Bugzilla: 1122193 VUL-0: CVE-2018-20721: uriparser: Out-of-bounds read in uriParse*Ex* for incomplete URIs with IPv6 addresses with embedded IPv4 address
Bugzilla: 1115724 VUL-1: CVE-2018-19200: uriparser: UriCommon.c allows attempted operations on NULL input via a uriResetUri* function
Bugzilla: 1115723 VUL-0: CVE-2018-19199: uriparser: UriQuery.c allows an integer overflow via a uriComposeQuery* or uriComposeQueryEx* function because of an unchecked multiplication
Bugzilla: 1115722 VUL-0: CVE-2018-19198: uriparser: UriQuery.c allows an out-of-bounds write via a uriComposeQuery* or uriComposeQueryEx* function because the '&' character is mishandled in certain contexts

Packages

uriparser-0.8.5-bp150.2.3.1