{"id":"CVE-2019-3817","details":"A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code.","modified":"2026-04-11T09:46:15.110578Z","published":"2019-03-27T13:29:01.413Z","related":["openSUSE-SU-2019:0323-1","openSUSE-SU-2019:0328-1","openSUSE-SU-2024:10929-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3583"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3898"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817"},{"type":"REPORT","url":"https://github.com/rpm-software-management/libcomps/issues/41"},{"type":"FIX","url":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rpm-software-management/libcomps","events":[{"introduced":"0"},{"fixed":"86a82fcd155c27092340d15a34f5c75c4da88243"},{"fixed":"e3a5d056633677959ad924a51758876d415e7046"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.1.10"}]}}],"versions":["libcomps-0.1.1-1","libcomps-0.1.3","libcomps-0.1.4","libcomps-0.1.5","libcomps-0.1.6","libcomps-0.1.7","libcomps-0.1.9"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"length":1720,"function_hash":"221883842316877266225135665509008155299"},"target":{"function":"comps_rtree_unite","file":"libcomps/src/comps_radix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-09c12797"},{"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445","86869103249019105588737519873273828133","253655779738947529595166061923216200999","325780392788154685801315612498824002784","80128346591984801325755628513139326636"]},"target":{"file":"libcomps/src/comps_objmradix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-6262e170"},{"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"length":1967,"function_hash":"339101478074468591327783017204771854819"},"target":{"function":"comps_objmrtree_unite","file":"libcomps/src/comps_objmradix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-65f8301d"},{"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445"]},"target":{"file":"libcomps/src/comps_radix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-68352ec9"},{"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"length":1699,"function_hash":"307666424191030074401432142163007664969"},"target":{"function":"comps_objrtree_unite","file":"libcomps/src/comps_objradix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-739582da"},{"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445","86869103249019105588737519873273828133","253655779738947529595166061923216200999","325780392788154685801315612498824002784","272198591804369979339929438277714930493"]},"target":{"file":"libcomps/src/comps_mradix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-8cc697f9"},{"signature_type":"Function","signature_version":"v1","deprecated":false,"digest":{"length":1956,"function_hash":"48544156199186513404856293592824836570"},"target":{"function":"comps_mrtree_unite","file":"libcomps/src/comps_mradix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-ce03e02e"},{"signature_type":"Line","signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["253665598825233029093033739596960373873","337445221573669159305150971171357881214","165686396496938068983173430501596014117","131845258616473942916386536453394588445","190462805541812933931988042811062554250","338901244845187452905579488875482000055","316369999271288864678030682587520042431"]},"target":{"file":"libcomps/src/comps_objradix.c"},"source":"https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046","id":"CVE-2019-3817-d4c713da"}],"vanir_signatures_modified":"2026-04-11T09:46:15Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3817.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}