CVE-2019-19334
- Source
- https://cve.org/CVERecord?id=CVE-2019-19334
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19334.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-19334
- Downstream
- Published
- 2019-12-06T16:15:10.920Z
- Modified
- 2026-02-23T08:17:18.266091Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/
- https://access.redhat.com/errata/RHSA-2019:4360
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334
- https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334
- https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6
Affected packages
Git / github.com/cesnet/libyang
Affected ranges
- Type
- GIT
- Repo
- https://github.com/cesnet/libyang
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.11-r1
v0.11-r2
v0.12-r1
v0.12-r2
v0.13-r1
v0.13-r2
v0.14-r1
v0.15-r1
v0.16-r1
v0.16-r2
v0.16-r3
v1.*
v1.0-r1
v1.0-r2
v1.0-r3
v1.0-r4
Database specific
vanir_signatures
[
{
"id": "CVE-2019-19334-0fc85d57",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/cesnet/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6",
"target": {
"file": "src/parser.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"292995609282841363669975935046566204682",
"149517033522983099106477072070701937564",
"297297297624460440254951196547675551567",
"72996930533404138982397399557811059557",
"274334248161745766359455477880545863750",
"199060229445835364465972116034786537046"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2019-19334-8e9f3d59",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/cesnet/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6",
"target": {
"function": "make_canonical",
"file": "src/parser.c"
},
"digest": {
"length": 3550.0,
"function_hash": "264754062392839519042860666898880122305"
},
"signature_type": "Function"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19334.json"