Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 662884 (CVE-2018-10773, CVE-2018-10774, CVE-2018-10775)

Summary: <app-text/bibutils-6.7: multiple vulnerabilities (CVE-2018-{10773,10774,10775})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: sci
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-05 22:24:08 UTC 
CVE-2018-10775 (https://nvd.nist.gov/vuln/detail/CVE-2018-10775):
  NULL pointer dereference in the _fields_add function in fields.c in
  libbibcore.a in bibutils through 6.2 allows remote attackers to cause a
  denial of service (application crash), as demonstrated by end2xml.

CVE-2018-10774 (https://nvd.nist.gov/vuln/detail/CVE-2018-10774):
  Read access violation in the isiin_keyword function in isiin.c in
  libbibutils.a in bibutils through 6.2 allows remote attackers to cause a
  denial of service (application crash), as demonstrated by isi2xml.

CVE-2018-10773 (https://nvd.nist.gov/vuln/detail/CVE-2018-10773):
  NULL pointer deference in the addsn function in serialno.c in libbibcore.a
  in bibutils through 6.2 allows remote attackers to cause a denial of service
  (application crash), as demonstrated by copac2xml.
Comment 1 D'juan McDonald (domhnall) 2018-08-12 20:19:19 UTC 
Reference: https://sourceforge.net/p/bibutils/home/history_version6/
6.3

6/04/18

    Add bibdiff program
    Fix header guards in iso639_1.h and iso639_3.h (reported by Vaclav Haisman)
    Fix nbib support for bibutils as a library (reported by Vaclav Haisman)
    Add authority="bibutilsgt" for bibutils-recognized genres not in MARC authority
    Switch from GENRE/NGENRE/UGENRE to GENRE:MARC/GENRE:BIBUTILS/GENRE:UNKNOWN
    General cleanups and fixes to cppcheck/clang warnings
    Fix CVE-2018-10773, CVE-2018-10774, CVE-2018-10775


-
Also, package uses KEYWORDS="~amd64 ~ppc ~x86". 

Gentoo Security Padawan
(domhnall)
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-12-04 22:38:34 UTC 
The package in tree is severely outdated...
Comment 3 Larry the Git Cow gentoo-dev 2019-01-11 21:23:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9c3adb551b63268fd4011bb1eb14a1018b49ea0

commit d9c3adb551b63268fd4011bb1eb14a1018b49ea0
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-01-11 21:23:11 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-01-11 21:23:38 +0000

    app-text/bibutils: Version bump
    
    Closes: https://bugs.gentoo.org/613346
    Closes: https://bugs.gentoo.org/613352
    Bug: https://bugs.gentoo.org/662884
    Package-Manager: Portage-2.3.54, Repoman-2.3.12
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-text/bibutils/Manifest            |  1 +
 app-text/bibutils/bibutils-6.7.ebuild | 47 +++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)