CVE-2021-20204

NameCVE-2021-20204
DescriptionA heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbitrary code execution or privilege escalation depending on input/skills of attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2660-1
NVD severityhigh
Debian Bugs988239

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgetdata (PTS)stretch0.9.4-1vulnerable
stretch (security)0.9.4-1+deb9u1fixed
buster0.10.0-5+deb10u1fixed
bullseye, sid0.10.0-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgetdatasourcestretch0.9.4-1+deb9u1DLA-2660-1
libgetdatasourcebuster0.10.0-5+deb10u1
libgetdatasource(unstable)0.10.0-10988239

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1956348
https://bugs.launchpad.net/ubuntu/+source/libgetdata/+bug/1912050

Search for package or bug name: Reporting problems