UBUNTU-CVE-2019-3570

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2019-3570
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-3570.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-3570
Related
Published
2019-07-18T16:15:00Z
Modified
2025-01-13T10:21:52Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Call to the scryptenc() function in HHVM can lead to heap corruption by using specifically crafted parameters (N, r and p). This happens if the parameters are configurable by an attacker for instance by providing the output of scryptenc() in a context where Hack/PHP code would attempt to verify it by re-running scrypt_enc() with the same parameters. This could result in information disclosure, memory being overwriten or crashes of the HHVM process. This issue affects versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, versions 3.30.5 and below, and all versions in the 4.0, 4.1, and 4.2 series.

References

Affected packages

Ubuntu:Pro:16.04:LTS / hhvm

Package

Name
hhvm
Purl
pkg:deb/ubuntu/hhvm@3.11.1+dfsg-1ubuntu1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.11.0+dfsg-1
3.11.1+dfsg-1
3.11.1+dfsg-1ubuntu1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / hhvm

Package

Name
hhvm
Purl
pkg:deb/ubuntu/hhvm@3.21.0+dfsg-2ubuntu2?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.21.0+dfsg-2
3.21.0+dfsg-2build1
3.21.0+dfsg-2build2
3.21.0+dfsg-2build3
3.21.0+dfsg-2ubuntu2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}