Candidate: CVE-2019-19333
PublicDate: 2019-12-06 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19333
 https://github.com/CESNET/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d
Description:
 In all versions of libyang before 1.0-r5, a stack-based buffer overflow was
 discovered in the way libyang parses YANG files with a leaf of type "bits".
 An application that uses libyang to parse untrusted YANG files may be
 vulnerable to this flaw, which would allow an attacker to cause a denial of
 service or possibly gain code execution.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946217
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_libyang:
upstream_libyang: released (0.16.105-2)
precise/esm_libyang: DNE
trusty_libyang: ignored (out of standard support)
trusty/esm_libyang: DNE
xenial_libyang: DNE
bionic_libyang: DNE
disco_libyang: ignored (reached end-of-life)
eoan_libyang: ignored (reached end-of-life)
focal_libyang: not-affected (0.16.105-2)
devel_libyang: not-affected (0.16.105-2)