Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 673944 (CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, CVE-2018-3849)

Summary: <sci-libs/cfitsio-3.490: multiple vulnerabilities
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sci-astronomy
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0531
See Also: https://bugs.gentoo.org/show_bug.cgi?id=698224
https://bugs.gentoo.org/show_bug.cgi?id=687860
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 698100    

Description D'juan McDonald (domhnall) 2018-12-29 06:03:00 UTC
Version 3.44 - April 2018

  - This release primarily patches security vulnerabilities.  We
    strongly encourage this upgrade, particularly for those running 
    CFITSIO in web accessible applications.


Citing documentation from version 3.44 to outline security fixes. However, version 3.45 and 3.50 are available via upstream. Please see URL for details.
Comment 1 D'juan McDonald (domhnall) 2019-01-08 20:38:58 UTC
Escalating to @Security due to CVE and Vulnerability aspects.

(https://nvd.nist.gov/vuln/detail/CVE-2018-3848):
In the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


(https://nvd.nist.gov/vuln/detail/CVE-2018-3849):
In the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


Gentoo Security Padawan
(domhnall)
Comment 2 D'juan McDonald (domhnall) 2019-01-08 21:42:09 UTC
Adding a missed CVE and reference
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0529
Comment 3 D'juan McDonald (domhnall) 2019-10-18 17:41:12 UTC
``` ffgphd and ffgtkn ``` are CVE-2018-4846 while ```ffghbn and ffghtb``` are CVEs CVE-2018-3848 and CVE-2018-3849 respectively.

See Also: CVE-2019-1010060.
(https://nvd.nist.gov/vuln/detail/CVE-2019-1010060):


(https://nvd.nist.gov/vuln/detail/CVE-2018-3846):

In the ffgphd and ffgtkn functions in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


(https://nvd.nist.gov/vuln/detail/CVE-2018-3847):
 
Multiple exploitable buffer overflow vulnerabilities exist in image parsing functionality of the CFITSIO library version 3.42. Specially crafted images parsed via the library, can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.
Comment 4 D'juan McDonald (domhnall) 2019-10-18 17:42:31 UTC
(In reply to D'juan McDonald (domhnall) from comment #3)
>..are CVE-2018-4846

CVE-2018-3846
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-13 17:04:31 UTC
ping..
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 21:01:50 UTC
ping
Comment 7 Larry the Git Cow gentoo-dev 2021-01-02 20:31:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a901fb5b9a1e317224a8126783bea78045554eaf

commit a901fb5b9a1e317224a8126783bea78045554eaf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-19 20:05:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-02 20:30:54 +0000

    sci-libs/cfitsio: security bump to 3.480
    
    Changes:
    * Update licence to ISC
    * EAPI 7 bump
    * Drop doc, examples USE flags
    * Remove other now non-existent options upstream
    
    Bug: https://bugs.gentoo.org/673944
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16749
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/cfitsio/Manifest             |  1 +
 sci-libs/cfitsio/cfitsio-3.480.ebuild | 71 +++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 06:34:26 UTC
x86 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 02:35:21 UTC
ppc done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 05:58:04 UTC
amd64 done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 11:13:22 UTC
ppc64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 14:29:23 UTC
sparc done

all arches done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 18:05:12 UTC
Please cleanup, thanks!
Comment 14 Larry the Git Cow gentoo-dev 2021-01-25 16:48:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34a9e327a6f7da965fd701f9b6527927b60c2d73

commit 34a9e327a6f7da965fd701f9b6527927b60c2d73
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-01-25 16:37:48 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-25 16:47:58 +0000

    sci-libs/cfitsio: Cleanup vulnerable 3.360, 3.410
    
    Bug: https://bugs.gentoo.org/673944
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/cfitsio/Manifest             |  2 --
 sci-libs/cfitsio/cfitsio-3.360.ebuild | 57 ----------------------------------
 sci-libs/cfitsio/cfitsio-3.410.ebuild | 58 -----------------------------------
 sci-libs/cfitsio/metadata.xml         |  4 ---
 4 files changed, 121 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 00:22:15 UTC
This issue was resolved and addressed in
 GLSA 202101-24 at https://security.gentoo.org/glsa/202101-24
by GLSA coordinator Sam James (sam_c).