[Libguestfs] hivex CVE-2021-3504
Richard W.M. Jones
rjones at redhat.com
Mon May 3 10:25:41 UTC 2021
hivex is a library for reading and writing Windows Registry (hive)
files. Jeremy Galindo, Sr Security Engineer at Datto.com found a flaw
caused by a lack of bounds checking in hivex_open which would cause
hivex to read memory beyond its normal bounds and/or cause the program
to crash.
A detailed description of the problem, and the patch is here:
https://github.com/libguestfs/hivex/commit/8f1935733b10d974a1a4176d38dd151ed98cf381
This was assessed as having moderate impact and assigned
CVE-2021-3504. The problem affects all version of hivex <= 1.3.19.
There is no workaround or mitigation, so you should apply the patch
above, or upgrade to hivex 1.3.20:
https://download.libguestfs.org/hivex/?C=M;O=D
New packages will be available for Fedora, RHEL and Debian shortly.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
More information about the Libguestfs
mailing list