PublicDateAtUSN: 2019-01-16 14:29:00 UTC
Candidate: CVE-2018-20721
PublicDate: 2019-01-16 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20721
 https://github.com/uriparser/uriparser/commit/cef25028de5ff872c2e1f0a6c562eb3ea9ecbce4
 https://github.com/uriparser/uriparser/blob/master/ChangeLog
 https://ubuntu.com/security/notices/USN-5172-1
Description:
 URI_FUNC() in UriParse.c in uriparser before 0.9.1 has an out-of-bounds
 read (in uriParse*Ex* functions) for an incomplete URI with an IPv6 address
 containing an embedded IPv4 address, such as a "//[::44.1" address.
Ubuntu-Description:
 It was discovered that uriparser incorrectly handled certain URIs. An
 attacker could use this vulnerability to cause a crash or possibly leak
 sensitive information.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_uriparser:
 upstream: https://github.com/uriparser/uriparser/commit/cef25028de5ff872c2e1f0a6c562eb3ea9ecbce4.patch
upstream_uriparser: released (0.9.1-1)
precise/esm_uriparser: DNE
trusty_uriparser: ignored (out of standard support)
trusty/esm_uriparser: needed
xenial_uriparser: ignored (end of standard support, was needed)
bionic_uriparser: released (0.8.4-1+deb9u2build0.18.04.1)
cosmic_uriparser: not-affected (0.9.1-1)
disco_uriparser: not-affected (0.9.1-1)
eoan_uriparser: not-affected (0.9.1-1)
focal_uriparser: not-affected (0.9.1-1)
groovy_uriparser: not-affected (0.9.1-1)
hirsute_uriparser: not-affected (0.9.1-1)
impish_uriparser: not-affected (0.9.1-1)
jammy_uriparser: not-affected (0.9.1-1)
devel_uriparser: not-affected (0.9.1-1)