Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673944 (CVE-2018-3846, CVE-2018-3848, CVE-2018-3849) - sci-libs/cfitsio: multiple vulnerabilities
Summary: sci-libs/cfitsio: multiple vulnerabilities
Status: UNCONFIRMED
Alias: CVE-2018-3846, CVE-2018-3848, CVE-2018-3849
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Sci Astronomy Herd
URL: https://www.talosintelligence.com/vul...
Whiteboard: B3 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-29 06:03 UTC by D'juan McDonald (domhnall)
Modified: 2019-01-08 21:42 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-12-29 06:03:00 UTC
Version 3.44 - April 2018

  - This release primarily patches security vulnerabilities.  We
    strongly encourage this upgrade, particularly for those running 
    CFITSIO in web accessible applications.


Citing documentation from version 3.44 to outline security fixes. However, version 3.45 and 3.50 are available via upstream. Please see URL for details.
Comment 1 D'juan McDonald (domhnall) 2019-01-08 20:38:58 UTC
Escalating to @Security due to CVE and Vulnerability aspects.

(https://nvd.nist.gov/vuln/detail/CVE-2018-3848):
In the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


(https://nvd.nist.gov/vuln/detail/CVE-2018-3849):
In the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


Gentoo Security Padawan
(domhnall)
Comment 2 D'juan McDonald (domhnall) 2019-01-08 21:42:09 UTC
Adding a missed CVE and reference
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0529