CVE-2019-20392
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-20392
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20392.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-20392
- Downstream
- Published
- 2020-01-22T22:15:10Z
- Modified
- 2025-09-16T07:03:15.385418Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolvefeaturevalue() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
- References
-
- https://bugzilla.redhat.com/show_bug.cgi?id=1793922
- https://github.com/CESNET/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5
- https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
- https://github.com/CESNET/libyang/issues/723
- https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
Affected packages
Debian:11 / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/debian/libyang?arch=source
Debian:13 / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/debian/libyang?arch=source
Debian:14 / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/debian/libyang?arch=source
Git / github.com/cesnet/libyang
Affected ranges
- Type
- GIT
- Repo
- https://github.com/cesnet/libyang
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.11-r1
v0.11-r2
v0.12-r1
v0.12-r2
v0.13-r1
v0.13-r2
v0.14-r1
v0.15-r1
v0.16-r1
v0.16-r2
v0.16-r3
Database specific
{
"vanir_signatures": [
{
"digest": {
"line_hashes": [
"153002500423798434256592701584245625463",
"230614830459831309431581078566189452272",
"270973861011249829838003646989904623610",
"148657964967570686949299799845810273179",
"257659658612003441551797041979747112217"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2019-20392-032a276a",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"file": "src/tree_internal.h"
}
},
{
"digest": {
"function_hash": "59104920717271573034795326211912967008",
"length": 658.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-1951f31b",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new_yangdata",
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "122236524139901627952942428461825117349",
"length": 624.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-7f66e1f9",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new",
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "57052246400986240294450456389561567888",
"length": 1505.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-90ac78de",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "resolve_list_keys",
"file": "src/resolve.c"
}
},
{
"digest": {
"function_hash": "187590895897927979670393245606269578600",
"length": 611.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-9448a57e",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new_anydata",
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "204286570847905701609976863284017896093",
"length": 611.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-962a5d69",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new_output_anydata",
"file": "src/tree_data.c"
}
},
{
"digest": {
"line_hashes": [
"321325470471087745242311288612032237358",
"56477959894432327662330507575327822819",
"53404165965557677183984291584300438482",
"271057890279561772190694269287218803445",
"306250846510245806449103643624440870868",
"45196027690109702854929066173998056955",
"55192732760628959106392687531181296118",
"316499779196054505278354666682740257131",
"165092681096174009704981897216533908279",
"81670330197492541712634698495065547077",
"123388074370574693039497351523872459089",
"54676762953646895315479720753943744797",
"238764938177065892686943584493549413735",
"245218462282638934395814115927369703723",
"125668014696491015217885674604179728911",
"313040288249818402581341811310372731022",
"321325470471087745242311288612032237358",
"56477959894432327662330507575327822819",
"53404165965557677183984291584300438482",
"271057890279561772190694269287218803445",
"306250846510245806449103643624440870868",
"45196027690109702854929066173998056955",
"55192732760628959106392687531181296118",
"316499779196054505278354666682740257131",
"165092681096174009704981897216533908279",
"81670330197492541712634698495065547077",
"123388074370574693039497351523872459089",
"54676762953646895315479720753943744797",
"230057388760933413550921968297649941014",
"320076485189318407780215182679474077876",
"70278170345059972295009906076420928262",
"211733341214040470307084349578988748206"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2019-20392-aa4e95ea",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "114802227195512835173326309507133879899",
"length": 622.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-b5040d99",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new_leaf",
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "164266810528397342352146474051971536506",
"length": 622.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-ccbf8f8c",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new_output_leaf",
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "228488513980899824368525078319399997149",
"length": 624.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-d3fdd596",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_new_output",
"file": "src/tree_data.c"
}
},
{
"digest": {
"function_hash": "57829431738036421082182047656068015947",
"length": 714.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-e175b3b0",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lys_getnext_data",
"file": "src/tree_schema.c"
}
},
{
"digest": {
"line_hashes": [
"301083763695685425972847294016431004979",
"210458590891657111559610829966846006069",
"15576116880097838804817988465904177720",
"207103289855468977022175404121393741526",
"33213091629819581431056391363718183242",
"140307323188134758435499197304213981010",
"164036938917007446127986822134950420670",
"234680713329600261993262436518060424716",
"225815452451362738509091908457938952003",
"37122003908092904473215613234915913806",
"277170383410592903311965170110004644053",
"108043387628562309678135878036510854571"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2019-20392-e2f71428",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"file": "src/resolve.c"
}
},
{
"digest": {
"function_hash": "114798472255238706783513339068407806635",
"length": 2595.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-e50b6f12",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "resolve_schema_leafref_predicate",
"file": "src/resolve.c"
}
},
{
"digest": {
"function_hash": "333075831465526990775069479674520315558",
"length": 3174.0
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2019-20392-ee5d3f07",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"function": "lyd_dup_to_ctx",
"file": "src/tree_data.c"
}
},
{
"digest": {
"line_hashes": [
"322287222846338707854596842130787799252",
"305851520901855814207703427485776693859",
"143168878008050025730951350250954976421",
"283311210623711391377559075215145741240",
"71688971604327333584151666155381498755",
"119357412104916274344613699507877729234",
"232262246563263944549808674222602446354",
"277467676394665399045161204069479551377"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2019-20392-f2040b03",
"source": "https://github.com/cesnet/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5",
"target": {
"file": "src/tree_schema.c"
}
}
]
}