CVE-2019-18874

psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
psutil_projectpsutil
𝑥
≤ 5.6.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-psutil
bookworm
5.9.4-1
fixed
bullseye
5.8.0-1
fixed
buster
no-dsa
sid
5.9.8-2
fixed
stretch
no-dsa
trixie
5.9.8-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-psutil
bionic
Fixed 5.4.2-1ubuntu0.1
released
disco
Fixed 5.5.1-1ubuntu0.19.04.1
released
eoan
Fixed 5.5.1-1ubuntu0.19.10.1
released
trusty
dne
xenial
Fixed 3.4.2-1ubuntu0.1
released
Common Weakness Enumeration
References
https://github.com/giampaolo/psutil/pull/1616
https://lists.debian.org/debian-lts-announce/2019/11/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P7QI7MOTZTFXQYU23CP3RAWXCERMOAS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLETTJYZL2SMBUI4Q2NGBMGPDPP54SRG/
https://usn.ubuntu.com/4204-1/
https://github.com/giampaolo/psutil/pull/1616
https://lists.debian.org/debian-lts-announce/2019/11/msg00018.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2P7QI7MOTZTFXQYU23CP3RAWXCERMOAS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLETTJYZL2SMBUI4Q2NGBMGPDPP54SRG/
https://usn.ubuntu.com/4204-1/