Fedora has issued an advisory on March 30: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PKFRC6LPMMYD7HQC2C4WX7BQXAXGORJJ/ Mageia 5 is also affected.
Update built for Mageia 6 by Chris: cfitsio-3.430-1.mga6 libcfitsio5-3.430-1.mga6 libcfitsio-devel-3.430-1.mga6 libcfitsio-static-devel-3.430-1.mga6 from cfitsio-3.430-1.mga6.src.rpm
Thanks David. For mageia 5, I am afraid the update would be very difficult, the library is still at major 2 and mga6/mga7 are already at major number 5. So we would need to rebuild ten packages and hoping for the best in terms of breakage. Let's not do it if this is ok, I think mga5 is EOL anyway. Cheers, Chris.
Yep, I wasn't expecting a Mageia 5 update for this one. Just noted it for documentation purposes.
Here a proper advisory: I have uploaded an updated package version for Mageia 6. You can test by installing the library package libcfitsio5, and installing, for instance "fitscut" a binary using the library. On the command line, just enter "fitscut" and see if you get the usage output (and not a segmentation fault!) Suggested advisory: ======================== Updated cfitsio packages fix security vulnerabilities that could allow a remote, unauthenticated attacker to take control of a server running the CFITSIO software. These vulnerabilities affect all servers and products running the CFITSIO software. References: https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/changes2.txt https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PKFRC6LPMMYD7HQC2C4WX7BQXAXGORJJ/ ======================== Updated packages in core/updates_testing: ======================== cfitsio-3.430-1.mga6 libcfitsio5-3.430-1.mga6 libcfitsio-devel-3.430-1.mga6 libcfitsio-static-devel-3.430-1.mga6 Source RPMs: cfitsio-3.430-1.mga6.src.rpm
CC: (none) => eatdirtAssignee: eatdirt => qa-bugs
Mageia6, x86_64 No PoCs for this. The libraries deal with the FITS data format which has been widely used in astronomy since the 70s. Updated the four packages. FITSIO home page: https://heasarc.gsfc.nasa.gov/fitsio/fitsio.html Specimen file at ftp://legacy.gsfc.nasa.gov/software/fitsio/c/testprog.std error status codes: https://heasarc.gsfc.nasa.gov/docs/software/fitsio/quick/node26.html example programs: https://heasarc.gsfc.nasa.gov/docs/software/fitsio/quick/node4.html Copied example.c from Quick Start Guide and compiled it: $ gcc -o fits -lcfitsio example.c $ file fits fits: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=23bd5b55c1cf8724e6ca229391ffea81838acb26, not stripped Used this example to produce a status sheet for the test data downloaded from NASA. $ ./fits testprog.std SIMPLE = T / file does conform to FITS standard BITPIX = 32 / number of bits per data pixel NAXIS = 2 / number of data axes NAXIS1 = 10 / length of data axis 1 NAXIS2 = 2 / length of data axis 2 EXTEND = T / FITS dataset may contain extensions COMMENT FITS (Flexible Image Transport System) format is defined in 'Astronomy COMMENT and Astrophysics', volume 376, page 359; bibcode: 2001A&A...376..359H KEY_PREC= 'This keyword was written by fxprec' / comment goes here CARD1 = '12345678901234567890123456789012345678901234567890123456789012345678' CARD2 = '1234567890123456789012345678901234567890123456789012345678901234''67' CARD3 = '1234567890123456789012345678901234567890123456789012345678901234''''' CARD4 = '1234567890123456789012345678901234567890123456789012345678901234567' KEY_PKYS= 'value_string' / fxpkys comment KEY_PKYL= T / fxpkyl comment KEY_PKYJ= 11 / [feet/second/second] fxpkyj comment KEY_PKYF= 12.12121 / fxpkyf comment KEY_PKYE= 1.313131E+01 / fxpkye comment KEY_PKYG= 14.14141414141414 / fxpkyg comment KEY_PKYD= 1.51515151515152E+01 / fxpkyd comment KEY_PKYC= (1.313131E+01, 1.414141E+01) / fxpkyc comment KEY_PKYM= (1.51515151515152E+01, 1.61616161616162E+01) / fxpkym comment KEY_PKFC= (13.131313, 14.141414) / fxpkfc comment KEY_PKFM= (15.15151515151515, 16.16161616161616) / fxpkfm comment KEY_PKLS= 'This is a very long string value that is continued over more than o&' CONTINUE 'ne keyword.' / fxpkls comment LONGSTRN= 'OGIP 1.0' / The HEASARC Long String Convention may be used. COMMENT This FITS file may contain long string keyword values that are COMMENT continued over multiple keywords. The HEASARC convention uses the & COMMENT character at the end of each substring which is then continued COMMENT on the next keyword which has the name CONTINUE. KEY_PKYT= 12345678.1234567890123456 / fxpkyt comment COMMENT This keyword was modified by fxmrec KY_UCRD = 'This keyword was updated by fxucrd' NEWIKYS = 'updated_string' / ikys comment KY_IKYJ = 51 / This is a modified comment KY_IKYL = T / ikyl comment KY_IKYE = -1.3346E+01 / ikye comment KY_IKYD = -1.33456789012346E+01 / modified comment KY_IKYF = -13.3456 / ikyf comment KY_IKYG = -13.3456789012346 / ikyg comment KY_PKNS1= 'first string' / fxpkns comment KY_PKNS2= 'second string' / fxpkns comment KY_PKNS3= ' ' / fxpkns comment KY_PKNL1= T / fxpknl comment KY_PKNL2= F / fxpknl comment KY_PKNL3= T / fxpknl comment KY_PKNJ1= 11 / fxpknj comment KY_PKNJ2= 12 / fxpknj comment KY_PKNJ3= 13 / fxpknj comment KY_PKNF1= 12.12121 / fxpknf comment KY_PKNF2= 13.13131 / fxpknf comment KY_PKNF3= 14.14141 / fxpknf comment KY_PKNE1= 1.313131E+01 / fxpkne comment KY_PKNE2= 1.414141E+01 / fxpkne comment KY_PKNE3= 1.515152E+01 / fxpkne comment KY_PKNG1= 14.1414141414141 / fxpkng comment KY_PKNG2= 15.1515151515152 / fxpkng comment KY_PKNG3= 16.1616161616162 / fxpkng comment KY_PKND1= 1.51515151515152E+01 / fxpknd comment KY_PKND2= 1.61616161616162E+01 / fxpknd comment KY_PKND3= 1.71717171717172E+01 / fxpknd comment TSTRING = '1 ' / tstring comment TLOGICAL= T / tlogical comment TBYTE = 11 / tbyte comment TSHORT = 21 / tshort comment TINT = 31 / tint comment TLONG = 41 / tlong comment TFLOAT = 42. / tfloat comment TDOUBLE = 82. / tdouble comment BLANK = -99 / value to use for undefined pixels KY_PKNE4= 1.313131E+01 / fxpkne comment TMPCARDA= 1001 / this is the 1st template card TMPCARD2= 'ABCD ' / this is the 2nd template card TMPCARD3= 1001.23 / this is the 3rd template card COMMENT this is the 5th template card HISTORY this is the 6th template card TMPCARD7= / comment for null keyword END Please excuse the length of this document. That is a very simple test but shows that the library is working fine. It actually provides a sophisticated database style enquiry language for extracting data from a FITS file but only in programmable form. Different institutions would probably develop their own interfaces based on this to suit their particular needs. Anyway, at a basic level we can confirm that it is OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Created attachment 10077 [details] Entry level script for examining a FITS data file. $ gcc -o fits -lcfitsio example.c $ wget ftp://legacy.gsfc.nasa.gov/software/fitsio/c/testprog.std $ ./fits testprog.std
Sorry, follow-on from comment 5. Of the nine utilities listed in the guide only fitscopy seems to be packaged with cfitsio. It works but so does cp.
Also, fits programs can deal with URLs directly so fitscopy works like wget as well. $ ./fits ftp://legacy.gsfc.nasa.gov/software/fitsio/c/testprog.std works fine.
I suppose this was aimed at you, Len! Thanks for your various tests. Advisoried & validated.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0197.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
openSUSE has issued an advisory for this today (April 21): https://lists.opensuse.org/opensuse-updates/2018-04/msg00050.html One of the issues was severe and has a CVE.
Severity: normal => criticalSummary: cfitsio new security issues fixed upstream in 3.43 => cfitsio new security issues fixed upstream in 3.43 (including CVE-2018-1000166)