{"id":"CVE-2019-20387","details":"repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-based buffer over-read via a last schema whose length is less than the length of the input schema.","modified":"2026-04-02T02:06:51.100678Z","published":"2020-01-21T23:15:13.443Z","related":["MGASA-2020-0117","SUSE-SU-2021:2145-1","SUSE-SU-2021:2180-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00034.html"},{"type":"FIX","url":"https://github.com/openSUSE/libsolv/compare/0.7.5...0.7.6"},{"type":"FIX","url":"https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensuse/libsolv","events":[{"introduced":"0"},{"fixed":"17ce4bc4fb52a0b32964f3b7d491c18177980be1"},{"fixed":"fdb9c9c03508990e4583046b590c30d958f272da"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.7.6"}]}}],"versions":["0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.15","0.6.16","0.6.17","0.6.18","0.6.19","0.6.20","0.6.21","0.6.22","0.6.23","0.6.24","0.6.25","0.6.26","0.6.27","0.6.28","0.6.29","0.6.30","0.6.31","0.6.32","0.6.33","0.6.34","0.6.35","0.6.36","0.6.37","0.6.38","0.6.39","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","BASE-SuSE-Code-12_1-Branch","BASE-SuSE-Code-12_2-Branch","BASE-SuSE-Code-12_3-Branch","BASE-SuSE-Code-13_1-Branch"],"database_specific":{"vanir_signatures":[{"target":{"file":"src/repodata.c","function":"repodata_schema2id"},"source":"https://github.com/opensuse/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da","signature_type":"Function","id":"CVE-2019-20387-14be743e","deprecated":false,"digest":{"function_hash":"4899277101288193706485005846420497178","length":1697},"signature_version":"v1"},{"target":{"file":"src/repodata.c"},"source":"https://github.com/opensuse/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da","signature_type":"Line","id":"CVE-2019-20387-2b36464b","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["272047716795212802441097868574234895908","37400958923676777071933101271582289650","265341671384809898946922769719777125133","53443162342254653955672112058005017995","278243617184913516167546565061182609866","23330873008043240081292770275914080789","260254168737727559623885259626174947827"]},"signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20387.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}