A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
{ "vanir_signatures": [ { "digest": { "line_hashes": [ "19930810062833946386526714722842093264", "71728508169115866837575559710155390212", "211047695715142250079411845799262406046", "324012456461005424292435550707084261776" ], "threshold": 0.9 }, "deprecated": false, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2019-20397-9548a224", "source": "https://github.com/cesnet/libyang/commit/88bd6c548ba79bce176cd875e9b56e7e0ef4d8d4", "target": { "file": "src/parser_yang_bis.c" } }, { "digest": { "function_hash": "255861764402369204287198891288229464985", "length": 446.0 }, "deprecated": false, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2019-20397-b1c9eb7b", "source": "https://github.com/cesnet/libyang/commit/88bd6c548ba79bce176cd875e9b56e7e0ef4d8d4", "target": { "function": "yyerror", "file": "src/parser_yang_bis.c" } } ] }