Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662884 (CVE-2018-10773, CVE-2018-10774, CVE-2018-10775) - <app-text/bibutils-6.7: multiple vulnerabilities (CVE-2018-{10773,10774,10775})
Summary: <app-text/bibutils-6.7: multiple vulnerabilities (CVE-2018-{10773,10774,10775})
Status: RESOLVED FIXED
Alias: CVE-2018-10773, CVE-2018-10774, CVE-2018-10775
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-05 22:24 UTC by GLSAMaker/CVETool Bot
Modified: 2019-03-10 04:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-05 22:24:08 UTC
CVE-2018-10775 (https://nvd.nist.gov/vuln/detail/CVE-2018-10775):
  NULL pointer dereference in the _fields_add function in fields.c in
  libbibcore.a in bibutils through 6.2 allows remote attackers to cause a
  denial of service (application crash), as demonstrated by end2xml.

CVE-2018-10774 (https://nvd.nist.gov/vuln/detail/CVE-2018-10774):
  Read access violation in the isiin_keyword function in isiin.c in
  libbibutils.a in bibutils through 6.2 allows remote attackers to cause a
  denial of service (application crash), as demonstrated by isi2xml.

CVE-2018-10773 (https://nvd.nist.gov/vuln/detail/CVE-2018-10773):
  NULL pointer deference in the addsn function in serialno.c in libbibcore.a
  in bibutils through 6.2 allows remote attackers to cause a denial of service
  (application crash), as demonstrated by copac2xml.
Comment 1 D'juan McDonald (domhnall) 2018-08-12 20:19:19 UTC
Reference: https://sourceforge.net/p/bibutils/home/history_version6/
6.3

6/04/18

    Add bibdiff program
    Fix header guards in iso639_1.h and iso639_3.h (reported by Vaclav Haisman)
    Fix nbib support for bibutils as a library (reported by Vaclav Haisman)
    Add authority="bibutilsgt" for bibutils-recognized genres not in MARC authority
    Switch from GENRE/NGENRE/UGENRE to GENRE:MARC/GENRE:BIBUTILS/GENRE:UNKNOWN
    General cleanups and fixes to cppcheck/clang warnings
    Fix CVE-2018-10773, CVE-2018-10774, CVE-2018-10775


-
Also, package uses KEYWORDS="~amd64 ~ppc ~x86". 

Gentoo Security Padawan
(domhnall)
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-12-04 22:38:34 UTC
The package in tree is severely outdated...
Comment 3 Larry the Git Cow gentoo-dev 2019-01-11 21:23:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9c3adb551b63268fd4011bb1eb14a1018b49ea0

commit d9c3adb551b63268fd4011bb1eb14a1018b49ea0
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-01-11 21:23:11 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-01-11 21:23:38 +0000

    app-text/bibutils: Version bump
    
    Closes: https://bugs.gentoo.org/613346
    Closes: https://bugs.gentoo.org/613352
    Bug: https://bugs.gentoo.org/662884
    Package-Manager: Portage-2.3.54, Repoman-2.3.12
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 app-text/bibutils/Manifest            |  1 +
 app-text/bibutils/bibutils-6.7.ebuild | 47 +++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)