[Libguestfs] hivex CVE-2021-3504

hivex is a library for reading and writing Windows Registry (hive) files. Jeremy Galindo, Sr Security Engineer at Datto.com found a flaw caused by a lack of bounds checking in hivex_open which would cause hivex to read memory beyond its normal bounds and/or cause the program to crash. A detailed description of the problem, and the patch is here: https://github.com/libguestfs/hivex/commit/8f1935733b10d974a1a4176d38dd15... This was assessed as having moderate impact and assigned CVE-2021-3504. The problem affects all version of hivex <= 1.3.19. There is no workaround or mitigation, so you should apply the patch above, or upgrade to hivex 1.3.20: https://download.libguestfs.org/hivex/?C=M;O=D New packages will be available for Fedora, RHEL and Debian shortly. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html