Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673944 (CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, CVE-2018-3849) - <sci-libs/cfitsio-3.490: multiple vulnerabilities
Summary: <sci-libs/cfitsio-3.490: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, CVE-2018-3849
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.talosintelligence.com/vul...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: EAPI5Removal
  Show dependency tree
 
Reported: 2018-12-29 06:03 UTC by D'juan McDonald (domhnall)
Modified: 2021-01-26 00:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-12-29 06:03:00 UTC
Version 3.44 - April 2018

  - This release primarily patches security vulnerabilities.  We
    strongly encourage this upgrade, particularly for those running 
    CFITSIO in web accessible applications.


Citing documentation from version 3.44 to outline security fixes. However, version 3.45 and 3.50 are available via upstream. Please see URL for details.
Comment 1 D'juan McDonald (domhnall) 2019-01-08 20:38:58 UTC
Escalating to @Security due to CVE and Vulnerability aspects.

(https://nvd.nist.gov/vuln/detail/CVE-2018-3848):
In the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


(https://nvd.nist.gov/vuln/detail/CVE-2018-3849):
In the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


Gentoo Security Padawan
(domhnall)
Comment 2 D'juan McDonald (domhnall) 2019-01-08 21:42:09 UTC
Adding a missed CVE and reference
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0529
Comment 3 D'juan McDonald (domhnall) 2019-10-18 17:41:12 UTC
``` ffgphd and ffgtkn ``` are CVE-2018-4846 while ```ffghbn and ffghtb``` are CVEs CVE-2018-3848 and CVE-2018-3849 respectively.

See Also: CVE-2019-1010060.
(https://nvd.nist.gov/vuln/detail/CVE-2019-1010060):


(https://nvd.nist.gov/vuln/detail/CVE-2018-3846):

In the ffgphd and ffgtkn functions in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.


(https://nvd.nist.gov/vuln/detail/CVE-2018-3847):
 
Multiple exploitable buffer overflow vulnerabilities exist in image parsing functionality of the CFITSIO library version 3.42. Specially crafted images parsed via the library, can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.
Comment 4 D'juan McDonald (domhnall) 2019-10-18 17:42:31 UTC
(In reply to D'juan McDonald (domhnall) from comment #3)
>..are CVE-2018-4846

CVE-2018-3846
Comment 5 Sam James archtester gentoo-dev Security 2020-06-13 17:04:31 UTC
ping..
Comment 6 Sam James archtester gentoo-dev Security 2020-07-18 21:01:50 UTC
ping
Comment 7 Larry the Git Cow gentoo-dev 2021-01-02 20:31:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a901fb5b9a1e317224a8126783bea78045554eaf

commit a901fb5b9a1e317224a8126783bea78045554eaf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-19 20:05:50 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-02 20:30:54 +0000

    sci-libs/cfitsio: security bump to 3.480
    
    Changes:
    * Update licence to ISC
    * EAPI 7 bump
    * Drop doc, examples USE flags
    * Remove other now non-existent options upstream
    
    Bug: https://bugs.gentoo.org/673944
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/16749
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/cfitsio/Manifest             |  1 +
 sci-libs/cfitsio/cfitsio-3.480.ebuild | 71 +++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
Comment 8 Sam James archtester gentoo-dev Security 2021-01-06 06:34:26 UTC
x86 done
Comment 9 Sam James archtester gentoo-dev Security 2021-01-07 02:35:21 UTC
ppc done
Comment 10 Sam James archtester gentoo-dev Security 2021-01-07 05:58:04 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-01-07 11:13:22 UTC
ppc64 done
Comment 12 Sam James archtester gentoo-dev Security 2021-01-10 14:29:23 UTC
sparc done

all arches done
Comment 13 Sam James archtester gentoo-dev Security 2021-01-10 18:05:12 UTC
Please cleanup, thanks!
Comment 14 Larry the Git Cow gentoo-dev 2021-01-25 16:48:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34a9e327a6f7da965fd701f9b6527927b60c2d73

commit 34a9e327a6f7da965fd701f9b6527927b60c2d73
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-01-25 16:37:48 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-01-25 16:47:58 +0000

    sci-libs/cfitsio: Cleanup vulnerable 3.360, 3.410
    
    Bug: https://bugs.gentoo.org/673944
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sci-libs/cfitsio/Manifest             |  2 --
 sci-libs/cfitsio/cfitsio-3.360.ebuild | 57 ----------------------------------
 sci-libs/cfitsio/cfitsio-3.410.ebuild | 58 -----------------------------------
 sci-libs/cfitsio/metadata.xml         |  4 ---
 4 files changed, 121 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 00:22:15 UTC
This issue was resolved and addressed in
 GLSA 202101-24 at https://security.gentoo.org/glsa/202101-24
by GLSA coordinator Sam James (sam_c).