Security update for hivex SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1761-1 Final 1 1 2021-05-26T09:18:41Z current 2021-05-26T09:18:41Z 2021-05-26T09:18:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for hivex This update for hivex fixes the following issues: - CVE-2021-3504: hivex: missing bounds check within hivex_open() (bsc#1185013) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sles/15.3/libguestfs-tools:0.45.0-2021-1761,SUSE-2021-1761,SUSE-SLE-Module-Basesystem-15-SP2-2021-1761,SUSE-SLE-Module-Basesystem-15-SP3-2021-1761,SUSE-SLE-Module-Development-Tools-15-SP2-2021-1761,SUSE-SLE-Module-Development-Tools-15-SP3-2021-1761,SUSE-SUSE-MicroOS-5.0-2021-1761 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211761-1/ Link for SUSE-SU-2021:1761-1 https://lists.suse.com/pipermail/sle-security-updates/2021-May/008840.html E-Mail link for SUSE-SU-2021:1761-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1185013 SUSE Bug 1185013 https://www.suse.com/security/cve/CVE-2021-3504/ SUSE CVE CVE-2021-3504 page Container suse/sles/15.3/libguestfs-tools:0.45.0 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Basesystem 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 libhivex0-1.3.14-5.3.1 perl-Win-Hivex-1.3.14-5.3.1 hivex-1.3.14-5.3.1 hivex-devel-1.3.14-5.3.1 hivex-lang-1.3.14-5.3.1 ocaml-hivex-1.3.14-5.3.1 ocaml-hivex-devel-1.3.14-5.3.1 python-hivex-1.3.14-5.3.1 libhivex0-1.3.14-5.3.1 as a component of Container suse/sles/15.3/libguestfs-tools:0.45.0 perl-Win-Hivex-1.3.14-5.3.1 as a component of Container suse/sles/15.3/libguestfs-tools:0.45.0 libhivex0-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Micro 5.0 perl-Win-Hivex-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Micro 5.0 hivex-devel-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 libhivex0-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 perl-Win-Hivex-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 hivex-devel-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 libhivex0-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 perl-Win-Hivex-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 ocaml-hivex-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 ocaml-hivex-devel-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 ocaml-hivex-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 ocaml-hivex-devel-1.3.14-5.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to crash. The highest threat from this vulnerability is to system availability. CVE-2021-3504 Container suse/sles/15.3/libguestfs-tools:0.45.0:libhivex0-1.3.14-5.3.1 Container suse/sles/15.3/libguestfs-tools:0.45.0:perl-Win-Hivex-1.3.14-5.3.1 SUSE Linux Enterprise Micro 5.0:libhivex0-1.3.14-5.3.1 SUSE Linux Enterprise Micro 5.0:perl-Win-Hivex-1.3.14-5.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:hivex-devel-1.3.14-5.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:libhivex0-1.3.14-5.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:perl-Win-Hivex-1.3.14-5.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:hivex-devel-1.3.14-5.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:libhivex0-1.3.14-5.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:perl-Win-Hivex-1.3.14-5.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:ocaml-hivex-1.3.14-5.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:ocaml-hivex-devel-1.3.14-5.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:ocaml-hivex-1.3.14-5.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:ocaml-hivex-devel-1.3.14-5.3.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211761-1/ https://www.suse.com/security/cve/CVE-2021-3504.html CVE-2021-3504 https://bugzilla.suse.com/1185013 SUSE Bug 1185013