Use after free in libgetdata v0.10.0 may lead to arbitrary code execution

Use after free in libgetdata v0.10.0 may lead to arbitrary code execution or privilege escalation when processing a maliciously crafted dirfile database. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library.

Details
When a RAW field specification is used with a duplicated field name in a FORMAT database fragment, the field name will be freed by _GD_ParseFieldSpec() in parse.c, but later referenced by _GD_Supports() in encoding.c when figuring out the encoding type of the RAW frames.

Testing
Vulnerability can be tested by supplying a malcrafted database file to the libgetdata library. In Ubuntu Linux, the checkdirfile utility is also vulnerable, this utility is installed by default by the libgetdata-tools package. In Ubuntu linux, this is located at: /usr/bin/checkdirfile

To test the vulnerability, pass a directory path containing a malcrafted FORMAT dirfile database to checkdirfile, as follows:

checkdirfile /path/to/dirfile-db/directory/

Attached is a sample malformed database with a screenshot of the memory analysis.

NOTE: For better visibility of the stack, compile the library with ASAN sanitizer.

The author has been contacted, waiting for reply. But as there has not been any updates to the project in the past couple of years, a fix might take a while.

As stated in the homepage (http://getdata.sourceforge.net) this library is being used by advance science projects at JPL/NASA and many other astrophysical projects. Information about this vulnerability should be kept private for the time being while the organizations are contacted or a patch is released.

RELEASE: Ubuntu 20.04
apt-cache policy libgetdata-tools
libgetdata-tools:
  Installed: 0.10.0-6build3
  Candidate: 0.10.0-6build3
  Version table:
 *** 0.10.0-6build3 500
        500 http://jp.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status