{"id":"CVE-2019-3817","details":"A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.","modified":"2026-04-11T09:46:15.110578Z","published":"2019-03-27T13:29:01.413Z","related":["openSUSE-SU-2019:0323-1","openSUSE-SU-2019:0328-1","openSUSE-SU-2024:10929-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3583"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3898"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817"},{"type":"REPORT","url":"https://github.com/rpm-software-management/libcomps/issues/41"},{"type":"FIX","url":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rpm-software-management/libcomps","events":[{"introduced":"0"},{"fixed":"86a82fcd155c27092340d15a34f5c75c4da88243"},{"fixed":"e3a5d056633677959ad924a51758876d415e7046"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.1.10"}]}}],"versions":["libcomps-0.1.1-1","libcomps-0.1.3","libcomps-0.1.4","libcomps-0.1.5","libcomps-0.1.6","libcomps-0.1.7","libcomps-0.1.9"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"221883842316877266225135665509008155299","length":1720},"target":{"function":"comps_rtree_unite","file":"libcomps/src/comps_radix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-09c12797","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Function"},{"digest":{"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445","86869103249019105588737519873273828133","253655779738947529595166061923216200999","325780392788154685801315612498824002784","80128346591984801325755628513139326636"],"threshold":0.9},"target":{"file":"libcomps/src/comps_objmradix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-6262e170","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Line"},{"digest":{"function_hash":"339101478074468591327783017204771854819","length":1967},"target":{"function":"comps_objmrtree_unite","file":"libcomps/src/comps_objmradix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-65f8301d","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Function"},{"digest":{"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445"],"threshold":0.9},"target":{"file":"libcomps/src/comps_radix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-68352ec9","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Line"},{"digest":{"function_hash":"307666424191030074401432142163007664969","length":1699},"target":{"function":"comps_objrtree_unite","file":"libcomps/src/comps_objradix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-739582da","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Function"},{"digest":{"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445","86869103249019105588737519873273828133","253655779738947529595166061923216200999","325780392788154685801315612498824002784","272198591804369979339929438277714930493"],"threshold":0.9},"target":{"file":"libcomps/src/comps_mradix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-8cc697f9","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Line"},{"digest":{"function_hash":"48544156199186513404856293592824836570","length":1956},"target":{"function":"comps_mrtree_unite","file":"libcomps/src/comps_mradix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-ce03e02e","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Function"},{"digest":{"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445","190462805541812933931988042811062554250","338901244845187452905579488875482000055","316369999271288864678030682587520042431"],"threshold":0.9},"target":{"file":"libcomps/src/comps_objradix.c"},"deprecated":false,"signature_version":"v1","id":"CVE-2019-3817-d4c713da","source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3817.json","vanir_signatures_modified":"2026-04-11T09:46:15Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}