CVE-2019-5020

Priority
Description
An exploitable denial of service vulnerability exists in the object lookup
functionality of Yara 3.8.1. A specially crafted binary file can cause a
negative value to be read to satisfy an assert, resulting in Denial of
Service. An attacker can create a malicious binary to trigger this
vulnerability.
Notes
 ebarretto> upstream fix introduced a regression, please check if all necessary
 ebarretto> commits are included when patching.
Package
Source: yara (LP Ubuntu Debian)
Upstream:released (3.9.0-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not present)
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):released (3.9.0-1)
Patches:
Upstream:https://github.com/VirusTotal/yara/commit/1ecb0e66431bf5c5b4c2fdf622be969eb5f4a7cc
Upstream:https://github.com/VirusTotal/yara/commit/a3784d3855029bd0ad24071e72746cc0c31b8cba
More Information

Updated: 2019-08-23 07:59:11 UTC (commit 436fd4ed4cf0038ddd382cb8649607ace163dda7)