Bug#898135: bibutils: CVE-2018-10773 CVE-2018-10774 CVE-2018-10775
Hi David, On Mon, May 07, 2018 at 04:19:22PM -0300, David Bremner wrote: > Salvatore Bonaccorso writes: > > > Source: bibutils > > Version: 6.2-1 > > Severity: normal > > Tags: security upstream > > > > Hi, > > > > The following vulnerabilities were published for bibutils. This report > > is to mainly make aware of the issues, I'm not sure if upstream were > > made aware of those, as the CVE references by now just consist of > > pointing to reproducers. > > > > CVE-2018-10773[0]: > > | NULL pointer deference in the addsn function in serialno.c in > > | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a > > | denial of service (application crash), as demonstrated by copac2xml. > > > > CVE-2018-10774[1]: > > | Read access violation in the isiin_keyword function in isiin.c in > > | libbibutils.a in bibutils through 6.2 allows remote attackers to cause > > | a denial of service (application crash), as demonstrated by isi2xml. > > > > CVE-2018-10775[2]: > > | NULL pointer dereference in the _fields_add function in fields.c in > > | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a > > | denial of service (application crash), as demonstrated by end2xml. > > > > Thanks for the report. The use of "remote attacker" seems odd to me, > since bibutils does not provide any network functionality. Note those are just the CVE descriptions from the MITRE database, it's actually maybe even a bit of a stretch to call all those vulnerabilities (rather than just bugs). I guess the reporter had in mind a webexposed service which uses bibutils when requesting the CVE and mentioning remote attacker and denial of service. My intention was, given the reporter of those probably did not notify upstream, upstream could be notified of those bugs at least via Debian. We have marked all those arleady as "unimportant" in the security tracker. Regards, Salvatore
Bug#898135: bibutils: CVE-2018-10773 CVE-2018-10774 CVE-2018-10775
Salvatore Bonaccorso writes: > Source: bibutils > Version: 6.2-1 > Severity: normal > Tags: security upstream > > Hi, > > The following vulnerabilities were published for bibutils. This report > is to mainly make aware of the issues, I'm not sure if upstream were > made aware of those, as the CVE references by now just consist of > pointing to reproducers. > > CVE-2018-10773[0]: > | NULL pointer deference in the addsn function in serialno.c in > | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a > | denial of service (application crash), as demonstrated by copac2xml. > > CVE-2018-10774[1]: > | Read access violation in the isiin_keyword function in isiin.c in > | libbibutils.a in bibutils through 6.2 allows remote attackers to cause > | a denial of service (application crash), as demonstrated by isi2xml. > > CVE-2018-10775[2]: > | NULL pointer dereference in the _fields_add function in fields.c in > | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a > | denial of service (application crash), as demonstrated by end2xml. > Thanks for the report. The use of "remote attacker" seems odd to me, since bibutils does not provide any network functionality. d
Bug#898135: bibutils: CVE-2018-10773 CVE-2018-10774 CVE-2018-10775
Source: bibutils Version: 6.2-1 Severity: normal Tags: security upstream Hi, The following vulnerabilities were published for bibutils. This report is to mainly make aware of the issues, I'm not sure if upstream were made aware of those, as the CVE references by now just consist of pointing to reproducers. CVE-2018-10773[0]: | NULL pointer deference in the addsn function in serialno.c in | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a | denial of service (application crash), as demonstrated by copac2xml. CVE-2018-10774[1]: | Read access violation in the isiin_keyword function in isiin.c in | libbibutils.a in bibutils through 6.2 allows remote attackers to cause | a denial of service (application crash), as demonstrated by isi2xml. CVE-2018-10775[2]: | NULL pointer dereference in the _fields_add function in fields.c in | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a | denial of service (application crash), as demonstrated by end2xml. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-10773 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10773 [1] https://security-tracker.debian.org/tracker/CVE-2018-10774 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10774 [2] https://security-tracker.debian.org/tracker/CVE-2018-10775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10775 Please adjust the affected versions in the BTS as needed. Salvatore
