CVE-2021-20204

NameCVE-2021-20204
DescriptionA heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbitrary code execution or privilege escalation depending on input/skills of attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2660-1
Debian Bugs988239

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgetdata (PTS)buster0.10.0-5+deb10u1fixed
bullseye0.10.0-10fixed
bookworm0.11.0-6fixed
trixie0.11.0-12fixed
sid0.11.0-13fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgetdatasourcestretch0.9.4-1+deb9u1DLA-2660-1
libgetdatasourcebuster0.10.0-5+deb10u1
libgetdatasource(unstable)0.10.0-10988239

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1956348
https://bugs.launchpad.net/ubuntu/+source/libgetdata/+bug/1912050
Debian patch applied causes functional regressions: https://bugs.debian.org/992437
Search for package or bug name: Reporting problems