CVE-2019-20393

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-20393
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20393.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-20393
Downstream
Published
2020-01-22T22:15:10Z
Modified
2025-10-15T10:50:33.450943Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

References

Affected packages

Git / github.com/cesnet/libyang

Affected ranges

Type
GIT
Repo
https://github.com/cesnet/libyang
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d9feacc4a590d35dbc1af21caf9080008b4450ed

Affected versions

v0.*

v0.11-r1
v0.11-r2
v0.12-r1
v0.12-r2
v0.13-r1
v0.13-r2
v0.14-r1
v0.15-r1
v0.16-r1
v0.16-r2
v0.16-r3

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed",
        "signature_version": "v1",
        "target": {
            "function": "yang_read_extcomplex_str",
            "file": "src/parser_yang.c"
        },
        "digest": {
            "function_hash": "210618447206416842963716160319291067596",
            "length": 2549.0
        },
        "id": "CVE-2019-20393-0b51fd0c"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed",
        "signature_version": "v1",
        "target": {
            "file": "src/parser_yang.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "159197367693089516205569419912882508586",
                "338106989825557444275081214165145915240",
                "173638409708146125147860696944110058569",
                "53588195873947443362605094523268632561"
            ]
        },
        "id": "CVE-2019-20393-771ceaf5"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed",
        "signature_version": "v1",
        "target": {
            "file": "src/parser_yang.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "21416199901454646743488100686154337882",
                "99164107408091063006777308910482006306",
                "61145605236541993103649237040225949367",
                "25219585484697981976401862072666946141",
                "211425843115769248843453539035067461254",
                "339575617453095667235171076010640122886",
                "120029062690870830515387605234494720776",
                "36172509862558898669720294441233507847",
                "254486200007475077881178437586168801239",
                "177520086970103864665717550503336861879",
                "194409106657883996911427762030776432816",
                "117077981437795543605848299468409372024",
                "80297440400200033459641880579578726293",
                "153541918219877504581369759612042270485",
                "271518729587833602837386109568267296786",
                "297590879985857847552467511180086627227",
                "177270519452510328620494519888220248824"
            ]
        },
        "id": "CVE-2019-20393-7c066af9"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed",
        "signature_version": "v1",
        "target": {
            "function": "yyparse",
            "file": "src/parser_yang_bis.c"
        },
        "digest": {
            "function_hash": "297619105104962865464252916456058722015",
            "length": 121723.0
        },
        "id": "CVE-2019-20393-897a4187"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed",
        "signature_version": "v1",
        "target": {
            "file": "src/parser_yang_bis.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "281173314764415771078734596198839755998",
                "160286089755377420471048506915642211568",
                "175388115082871246159087214172897637780",
                "273804716555576637974727595170238162137",
                "310981047629080967697626232498865314043",
                "90823686894974054152352645734798982690",
                "28012874169947363259138203723484029924",
                "41694348609127876001830458036253700810",
                "131777903932017419486465995440103100648",
                "168013029427957451649208388171256321784",
                "186245089661852243317568101655424807515",
                "81108806283943699757978489840608461396",
                "50197152091423902626038935630591975267",
                "308088478696431713122006729790779885025",
                "28599201766766415515356910472396650691",
                "194251369466084534053266358921769586418",
                "48886778270000747810057481298878765273",
                "295041330686215775529943419110018374422",
                "7550286812935820323808551807101263791",
                "12114679460682025133744961202188155820",
                "69563439567826275403782157747820226829",
                "264145785382469150700010076871629393182",
                "48015251036073566216842964328906380190",
                "20969775262226781481092469174613296434",
                "161875272980297512773701091650123129992",
                "239587576820807265019085726896510712062",
                "270582090242205734324764746108689898697",
                "329491352820764632893578964270107894124",
                "89123590792079233993250112918373910657",
                "185542756248377223930882272774750473442",
                "143546575568490012525947902002105892405",
                "183892370886530013127993239560636193310",
                "192318873967208278677638109277753104145",
                "180817541286572442755944851340801350087",
                "263210088259807270771394852731167125662",
                "26847781364965320247592763304101656632",
                "97430940798891537200917969977282827827",
                "203839397688829917857372281443131757783",
                "185575732252900552358483226676836365434",
                "218148538451266829825753437215346701203",
                "213425459907171197499333283281566514602",
                "11892478604650406129648621206888448413",
                "104055479078570837068541309030847886051",
                "292839487684752323339842305008817444422",
                "337924772314129945170287766072078882562",
                "290944425752099368339658787501825879325",
                "239862230735436140578488231568880269421",
                "219048122820663869899582858462045827627",
                "260060293791655827972520123066455821443",
                "75093356721276301056581711965015187354",
                "294652982765899541525287073317883349072",
                "221195174597733744918813477800015070452",
                "103068719435928311614366960102813526850",
                "24412773842532597515577637433450339985",
                "138753240435025182351849187912868853524",
                "104699215554303490721106272557452301292",
                "73595796927291042388008768248289119025",
                "213878865549469413887381018988286868657",
                "246735937759765771582976692450516169314",
                "149068710609364842013269967989769065268",
                "331792664372799127003290740983244951507",
                "30007146344462048416157824632232802324",
                "657236584375837295832280113545998170",
                "82051395226462430428823479045117612741",
                "17883174574016127189154554461401547220",
                "62629405015727775025619654707274040385",
                "120656547916620015523684584115728828245",
                "252844827007950580572148529655832974140",
                "323601965787562601594957188307789821339",
                "82310983095193557974985880835690465373",
                "1817202309068896578043245509465660462",
                "235505973840472814673301729253275616595"
            ]
        },
        "id": "CVE-2019-20393-957c8d30"
    }
]