{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"libsolv security update", "category":"general", "title":"Synopsis" }, { "text":"An update for libsolv is now available for openEuler-24.03-LTS-SP3", "category":"general", "title":"Summary" }, { "text":"A free package dependency solver using a satisfiability algorithm. The library is based on two major, but independent, blocks:\n\nSecurity Fix(es):\n\nMANUALLY_VERIFIED_REPORT\npackage: libsolv-0.7.33-2.el10\n------\n[Security] Heap Buffer Overflow in repo_add_solv via Negative maxsize\nSummary: Heap buffer overflow in `repo_add_solv` when parsing attacker-controlled `.solv` files; large encoded `maxsize`/`allsize` header values can decode to negative signed `Id` values, leading to undersized heap allocation while a subsequent `fread` uses `DATA_READ_CHUNK` (8192) bytes.\nRequirements to exploit: Ability to supply a crafted `.solv` file that a victim processes with libsolv (directly or via a consumer such as `dumpsolv` or an application that calls `repo_add_solv` on untrusted input).\nComponent affected: libsolv\nVersion affected: <= 0.7.36\nVersion fixed (if any already): >= TBD\nCVSS: 6.5 (Medium) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\nImpact: Moderate (proposed). Per https://access.redhat.com/security/updates/classification this is memory corruption reachable via untrusted `.solv` ingestion and can at least cause a denial of service; it is not clearly \"High\" because an attacker typically needs the victim to process attacker-controlled input (configuration/user action) and reliable system compromise is not demonstrated here. This may be \"Low\" instead in product contexts where the vulnerable path is not used by default, is only reachable via uncommon workflows, or is effectively mitigated (e.g., only trusted solvdb is processed).\nEmbargo: no\nAcknowledgement: Aisle Research\nSteps to reproduce if available: See \"Reproduction steps\" below.\nMitigation if available: Prefer only consuming trusted `.solv` / solvdb inputs; avoid parsing untrusted `.solv` files until patched.\nOriginal report:\nHello libsolv maintainers,\nWe believe that we have discovered a potential security vulnerability in `repo_add_solv` when parsing attacker-controlled `.solv` files.\n### Vulnerability details\n`read_id` decodes into an unsigned value and returns `Id` (signed `int`), so large encoded values can become negative after conversion:\n```c\n/* src/repo_solv.c */\nstatic Id\nread_id(Repodata *data, Id max)\n{\nunsigned int x = 0;\n...\nreturn x;\n}\n```\nIn `repo_add_solv`, `maxsize` and `allsize` are read with `max=0` (no bounds check), then used for allocation and read length:\n```c\n/* src/repo_solv.c */\nmaxsize = read_id(&data, 0);\nallsize = read_id(&data, 0);\nmaxsize += 5;\nif (maxsize > allsize)\nmaxsize = allsize;\nbuf = solv_calloc(maxsize + DATA_READ_CHUNK + 4, 1);\nl = maxsize;\nif (l < DATA_READ_CHUNK)\nl = DATA_READ_CHUNK;\nif (l > allsize)\nl = allsize;\nif (!l || fread(buf, l, 1, data.fp) != 1)\n```\nIf `maxsize` is negative, `solv_calloc(maxsize + 8192 + 4, 1)` can allocate a much smaller buffer, but `l` is then raised to `8192`, and `fread` writes `8192` bytes into that undersized heap buffer.\nMost relevant CWEs:\n- `CWE-122` (Heap-based Buffer Overflow): direct overflow sink.\n- `CWE-20` (Improper Input Validation): negative header fields are accepted.\n- `CWE-195` (Signed to Unsigned Conversion Error): signed `int` values flow into allocation sizing.\n### Reproduction steps\n1. Build libsolv with ASAN (or run a consumer binary that calls `repo_add_solv` on `.solv` input, e.g. `dumpsolv`).\n2. Run the parser on this file (`dumpsolv crafted.solv` or equivalent).\n### Crash:\n[root@c28a4ffb0823 workspace]# ./build-asan/tools/dumpsolv ./vuln_1_101_1_negative_maxsize.solv\n=================================================================\n==542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000b1 at pc 0x00000041fb3c bp 0x7ffffffc5fd0 sp 0x7ffffffc5798\nWRITE of size 8192 at 0x5020000000b1 thread T0\n#0 0x00000041fb3b (/workspace/build-asan/tools/dumpsolv+0x41fb3b) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#1 0x7fffff662147 (/workspace/build-asan/src/libsolv.so.1+0x57147) (BuildId: ebfff12c035b97f95b2d532a1d6d237ac31e770a)\n#2 0x0000004e45fe (/workspace/build-asan/tools/dumpsolv+0x4e45fe) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#3 0x7fffff2f0447 (/lib64/libc.so.6+0x3447) (BuildId: dae6ae6929d69dca842288f5300af5a33d1bdcd7)\n#4 0x7fffff2f050a (/lib64/libc.so.6+0x350a) (BuildId: (CVE-2026-9149)\n\nA flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.(CVE-2026-9150)", "category":"general", "title":"Description" }, { "text":"An update for libsolv is now available for openEuler-24.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"libsolv", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2026-2556", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2556" }, { "summary":"CVE-2026-9149", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-9149&packageName=libsolv" }, { "summary":"CVE-2026-9150", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-9150&packageName=libsolv" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9149" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9150" }, { "summary":"openEuler-SA-2026-2556 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2026/csaf-openeuler-sa-2026-2556.json" } ], "title":"An update for libsolv is now available for openEuler-24.03-LTS-SP3", "tracking":{ "initial_release_date":"2026-06-08T15:01:25+08:00", "revision_history":[ { "date":"2026-06-08T15:01:25+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-06-08T15:01:25+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-06-08T15:01:25+08:00", "id":"openEuler-SA-2026-2556", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"openEuler-24.03-LTS-SP3", "name":"openEuler-24.03-LTS-SP3" }, "name":"openEuler-24.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"libsolv-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"libsolv-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-demo-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"libsolv-demo-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"libsolv-demo-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-devel-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"libsolv-devel-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"libsolv-devel-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-tools-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"libsolv-tools-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"libsolv-tools-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"perl-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"perl-solv-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"perl-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python3-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"python3-solv-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"python3-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"ruby-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "name":"ruby-solv-0.7.24-5.oe2403sp3.aarch64.rpm" }, "name":"ruby-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-0.7.24-5.oe2403sp3.src.rpm", "name":"libsolv-0.7.24-5.oe2403sp3.src.rpm" }, "name":"libsolv-0.7.24-5.oe2403sp3.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"libsolv-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"libsolv-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-demo-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"libsolv-demo-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"libsolv-demo-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-devel-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"libsolv-devel-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"libsolv-devel-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-tools-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"libsolv-tools-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"libsolv-tools-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"perl-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"perl-solv-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"perl-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"python3-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"python3-solv-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"python3-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"ruby-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "name":"ruby-solv-0.7.24-5.oe2403sp3.x86_64.rpm" }, "name":"ruby-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP3" }, "product_id":"libsolv-help-0.7.24-5.oe2403sp3.noarch.rpm", "name":"libsolv-help-0.7.24-5.oe2403sp3.noarch.rpm" }, "name":"libsolv-help-0.7.24-5.oe2403sp3.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "name":"libsolv-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "name":"libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "name":"libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-demo-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "name":"libsolv-demo-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-devel-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "name":"libsolv-devel-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-tools-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "name":"libsolv-tools-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"perl-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "name":"perl-solv-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python3-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "name":"python3-solv-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"ruby-solv-0.7.24-5.oe2403sp3.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "name":"ruby-solv-0.7.24-5.oe2403sp3.aarch64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-0.7.24-5.oe2403sp3.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "name":"libsolv-0.7.24-5.oe2403sp3.src as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "name":"libsolv-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "name":"libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "name":"libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-demo-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "name":"libsolv-demo-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-devel-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "name":"libsolv-devel-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-tools-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "name":"libsolv-tools-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"perl-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "name":"perl-solv-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"python3-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "name":"python3-solv-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"ruby-solv-0.7.24-5.oe2403sp3.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "name":"ruby-solv-0.7.24-5.oe2403sp3.x86_64 as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP3", "product_reference":"libsolv-help-0.7.24-5.oe2403sp3.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch", "name":"libsolv-help-0.7.24-5.oe2403sp3.noarch as a component of openEuler-24.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-9149", "notes":[ { "text":"MANUALLY_VERIFIED_REPORT\npackage: libsolv-0.7.33-2.el10\n------\n[Security] Heap Buffer Overflow in repo_add_solv via Negative maxsize\nSummary: Heap buffer overflow in `repo_add_solv` when parsing attacker-controlled `.solv` files; large encoded `maxsize`/`allsize` header values can decode to negative signed `Id` values, leading to undersized heap allocation while a subsequent `fread` uses `DATA_READ_CHUNK` (8192) bytes.\nRequirements to exploit: Ability to supply a crafted `.solv` file that a victim processes with libsolv (directly or via a consumer such as `dumpsolv` or an application that calls `repo_add_solv` on untrusted input).\nComponent affected: libsolv\nVersion affected: <= 0.7.36\nVersion fixed (if any already): >= TBD\nCVSS: 6.5 (Medium) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\nImpact: Moderate (proposed). Per https://access.redhat.com/security/updates/classification this is memory corruption reachable via untrusted `.solv` ingestion and can at least cause a denial of service; it is not clearly \"High\" because an attacker typically needs the victim to process attacker-controlled input (configuration/user action) and reliable system compromise is not demonstrated here. This may be \"Low\" instead in product contexts where the vulnerable path is not used by default, is only reachable via uncommon workflows, or is effectively mitigated (e.g., only trusted solvdb is processed).\nEmbargo: no\nAcknowledgement: Aisle Research\nSteps to reproduce if available: See \"Reproduction steps\" below.\nMitigation if available: Prefer only consuming trusted `.solv` / solvdb inputs; avoid parsing untrusted `.solv` files until patched.\nOriginal report:\nHello libsolv maintainers,\nWe believe that we have discovered a potential security vulnerability in `repo_add_solv` when parsing attacker-controlled `.solv` files.\n### Vulnerability details\n`read_id` decodes into an unsigned value and returns `Id` (signed `int`), so large encoded values can become negative after conversion:\n```c\n/* src/repo_solv.c */\nstatic Id\nread_id(Repodata *data, Id max)\n{\nunsigned int x = 0;\n...\nreturn x;\n}\n```\nIn `repo_add_solv`, `maxsize` and `allsize` are read with `max=0` (no bounds check), then used for allocation and read length:\n```c\n/* src/repo_solv.c */\nmaxsize = read_id(&data, 0);\nallsize = read_id(&data, 0);\nmaxsize += 5;\nif (maxsize > allsize)\nmaxsize = allsize;\nbuf = solv_calloc(maxsize + DATA_READ_CHUNK + 4, 1);\nl = maxsize;\nif (l < DATA_READ_CHUNK)\nl = DATA_READ_CHUNK;\nif (l > allsize)\nl = allsize;\nif (!l || fread(buf, l, 1, data.fp) != 1)\n```\nIf `maxsize` is negative, `solv_calloc(maxsize + 8192 + 4, 1)` can allocate a much smaller buffer, but `l` is then raised to `8192`, and `fread` writes `8192` bytes into that undersized heap buffer.\nMost relevant CWEs:\n- `CWE-122` (Heap-based Buffer Overflow): direct overflow sink.\n- `CWE-20` (Improper Input Validation): negative header fields are accepted.\n- `CWE-195` (Signed to Unsigned Conversion Error): signed `int` values flow into allocation sizing.\n### Reproduction steps\n1. Build libsolv with ASAN (or run a consumer binary that calls `repo_add_solv` on `.solv` input, e.g. `dumpsolv`).\n2. Run the parser on this file (`dumpsolv crafted.solv` or equivalent).\n### Crash:\n[root@c28a4ffb0823 workspace]# ./build-asan/tools/dumpsolv ./vuln_1_101_1_negative_maxsize.solv\n=================================================================\n==542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000b1 at pc 0x00000041fb3c bp 0x7ffffffc5fd0 sp 0x7ffffffc5798\nWRITE of size 8192 at 0x5020000000b1 thread T0\n#0 0x00000041fb3b (/workspace/build-asan/tools/dumpsolv+0x41fb3b) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#1 0x7fffff662147 (/workspace/build-asan/src/libsolv.so.1+0x57147) (BuildId: ebfff12c035b97f95b2d532a1d6d237ac31e770a)\n#2 0x0000004e45fe (/workspace/build-asan/tools/dumpsolv+0x4e45fe) (BuildId: 3a1e71d74bd4d38c896ffc899393aedf86bf1cfc)\n#3 0x7fffff2f0447 (/lib64/libc.so.6+0x3447) (BuildId: dae6ae6929d69dca842288f5300af5a33d1bdcd7)\n#4 0x7fffff2f050a (/lib64/libc.so.6+0x350a) (BuildId: ", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch" ], "details":"libsolv security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2556" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-9149" }, { "cve":"CVE-2026-9150", "notes":[ { "text":"A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch" ], "details":"libsolv security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2556" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.aarch64", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.src", "openEuler-24.03-LTS-SP3:libsolv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debuginfo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-debugsource-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-demo-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-devel-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-tools-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:perl-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:python3-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:ruby-solv-0.7.24-5.oe2403sp3.x86_64", "openEuler-24.03-LTS-SP3:libsolv-help-0.7.24-5.oe2403sp3.noarch" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-9150" } ] }