Source: fis-gtm X-Debbugs-CC: [email protected] Severity: normal Tags: security
Hi, The following vulnerabilities were published for fis-gtm. CVE-2021-44496[0]: | An issue was discovered in FIS GT.M through V7.0-000 (related to the | YottaDB code base). Using crafted input, an attacker can control the | size variable and buffer that is passed to a call to memcpy. An | attacker can use this to overwrite key data structures and gain | control of the flow of execution. http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44504[1]: | An issue was discovered in FIS GT.M through V7.0-000 (related to the | YottaDB code base). Using crafted input, an attacker can cause a size | variable, stored as an signed int, to equal an extremely large value, | which is interpreted as a negative value during a check. This value is | then used in a memcpy call on the stack, causing a memory segmentation | fault. http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html https://gitlab.com/YottaDB/DB/YDB/-/issues/828 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44496 https://www.cve.org/CVERecord?id=CVE-2021-44496 [1] https://security-tracker.debian.org/tracker/CVE-2021-44504 https://www.cve.org/CVERecord?id=CVE-2021-44504 Please adjust the affected versions in the BTS as needed.
