#1132719 py-lmdb: CVE-2019-16224 CVE-2019-16225 CVE-2019-16226 CVE-2019-16227 CVE-2019-16228 #1132719
- Package:
- src:py-lmdb
- Source:
- src:py-lmdb
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-09 05:41:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for py-lmdb. CVE-2019-16224[0]: | An issue was discovered in py-lmdb 0.97. For certain values of | md_flags, mdb_node_add does not properly set up a memcpy | destination, leading to an invalid write operation. NOTE: this | outcome occurs when accessing a data.mdb file supplied by an | attacker. CVE-2019-16225[1]: | An issue was discovered in py-lmdb 0.97. For certain values of | mp_flags, mdb_page_touch does not properly set up | mc->mc_pg[mc->top], leading to an invalid write operation. NOTE: | this outcome occurs when accessing a data.mdb file supplied by an | attacker. CVE-2019-16226[2]: | An issue was discovered in py-lmdb 0.97. mdb_node_del does not | validate a memmove in the case of an unexpected node->mn_hi, leading | to an invalid write operation. NOTE: this outcome occurs when | accessing a data.mdb file supplied by an attacker. CVE-2019-16227[3]: | An issue was discovered in py-lmdb 0.97. For certain values of | mn_flags, mdb_cursor_set triggers a memcpy with an invalid write | operation within mdb_xcursor_init1. NOTE: this outcome occurs when | accessing a data.mdb file supplied by an attacker. CVE-2019-16228[4]: | An issue was discovered in py-lmdb 0.97. There is a divide-by-zero | error in the function mdb_env_open2 if mdb_env_read_header obtains a | zero value for a certain size field. NOTE: this outcome occurs when | accessing a data.mdb file supplied by an attacker. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16224 https://www.cve.org/CVERecord?id=CVE-2019-16224 [1] https://security-tracker.debian.org/tracker/CVE-2019-16225 https://www.cve.org/CVERecord?id=CVE-2019-16225 [2] https://security-tracker.debian.org/tracker/CVE-2019-16226 https://www.cve.org/CVERecord?id=CVE-2019-16226 [3] https://security-tracker.debian.org/tracker/CVE-2019-16227 https://www.cve.org/CVERecord?id=CVE-2019-16227 [4] https://security-tracker.debian.org/tracker/CVE-2019-16228 https://www.cve.org/CVERecord?id=CVE-2019-16228 [5] https://github.com/jnwatson/py-lmdb/issues/210 [6] https://github.com/jnwatson/py-lmdb/pull/429 Regards, Salvatore
Control: severity -1 grave [...] While the issues are arguably not really RC, in Debian we have almost back to trixie the 1.4.1 based version. Upstream has addressed the CVEs, so raising the severity to RC to make sure the fix land in forky (for trixie an bookworm the issues still can be considered no-dsa and could be fixed in a point release). Regards, Salvatore
These issues are in the bundled lmdb copy[1] that is not used in the Debian package, so that's rather minor/unimportant for py-lmdb. The PoCs for all 5 CVEs reproduce[2] with lmdb/sid and not anymore after applying the patches. I can prepare an NMU for lmdb, but what CVE numbers to use? Can the 5 CVEs get reassigned to lmdb where they belong, or will there be new CVEs? One of the CVEs might have been forwarded to lmdb upstream.[3] cu Adrian [1] https://github.com/jnwatson/py-lmdb/issues/210 [2] without python3-lmdb installed, these are C reproducers [3] https://github.com/jnwatson/py-lmdb/blob/master/upstream-bug-cve-2019-16224.md
Hi Adrian, I will have a look at this in the next few days and come back to you. Regards, Salvatore