Bug 24586 - cfitsio new security issues CVE-2018-384[689]
Summary: cfitsio new security issues CVE-2018-384[689]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-03-28 21:49 CET by David Walser
Modified: 2019-04-05 20:14 CEST (History)
4 users (show)

See Also:
Source RPM: cfitsio-3.430-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-03-28 21:49:09 CET
Fedora has issued an advisory on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/K46I2MFPCEOGC5LLDXZSWPB3EBPON3KA/

The issues are fixed upstream in 3.440.
Comment 1 Chris Denice 2019-03-28 22:33:58 CET
I have uploaded a patched package for Mageia 6.

We cannot upgrade to version 3.440 as this would imply a change of major and too many packages to recompile. Fedora provides a patch backporting the fixes to version 3.330, that I have imported from:

https://src.fedoraproject.org/rpms/cfitsio/blob/f28/f/cfitsio-backport344.patch


Suggested advisory:
========================

Updated cfitsio packages to fix security vulnerabilities:

* CVE-2018-3846: Unsafe use of sprintf() can allow a remote unauthenticated
  attacker to execute arbitrary code
* CVE-2018-3848: Stack-based buffer overflow in ffghbn() allows for
  potential code execution
* CVE-2018-3849: Stack-based buffer overflow in ffghtb() allows for potential 
  code execution

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1563915
https://bugzilla.redhat.com/show_bug.cgi?id=1568184
https://bugzilla.redhat.com/show_bug.cgi?id=1568189
========================

Updated packages in core/updates_testing:
========================
cfitsio-3.430-1.1.mga6
lib(64)cfitsio5-3.430-1.1.mga6
lib(64)cfitsio-devel-3.430-1.1.mga6
lib(64)cfitsio-static-devel-3.430-1.1

Source RPMs: 
cfitsio-3.430-1.1.mga6.src

Assignee: eatdirt => qa-bugs
CC: (none) => eatdirt

Comment 2 Len Lawrence 2019-03-30 20:45:28 CET
mga6, x86_64

Found no POC for these CVEs.

Followed earlier procedure at https://bugs.mageia.org/show_bug.cgi?id=22855 and tested the sample data before and after updating.

The libraries concern the FITS data format which was first widely used in astronomical contexts.  One of its important constraints is that it must always be fully backwards compatible, ensuring that old data is always readable.

Used the previously compiled status check from the Quick Start Guide
https://heasarc.gsfc.nasa.gov/fitsio/fitsio.html to test the sample data before the update and recompiled it after the update.

Before update:

$ ./fits testprog.std > fits_before.txt

After updating:

$ gcc -o fits -lcfitsio example.c
$ ./fits testprog.std > fits_afterwards.txt
$ diff fits_before.txt fits_afterwards.txt 
$
$ head -8 fits_afterwards.txt
SIMPLE  =                    T / file does conform to FITS standard
BITPIX  =                   32 / number of bits per data pixel
NAXIS   =                    2 / number of data axes
NAXIS1  =                   10 / length of data axis 1
NAXIS2  =                    2 / length of data axis 2
EXTEND  =                    T / FITS dataset may contain extensions
COMMENT   FITS (Flexible Image Transport System) format is defined in 'Astronomy
COMMENT   and Astrophysics', volume 376, page 359; bibcode: 2001A&A...376..359H
$ tail -5 fits_afterwards.txt
COMMENT this is the 5th template card
HISTORY this is the 6th template card
TMPCARD7=                      / comment for null keyword
END

$

Good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 3 Len Lawrence 2019-03-30 21:11:03 CET
Missed the utilities.  Only fitscopy can be found on our system.  The others may be there in some form - might need compiling or extraction or whatever.
speed and cookbook are strings which occur all over the place in a locate search.

speed - measures the maximum throughput (in MB per second)
        for writing and reading FITS files with CFITSIO.
listhead - lists all the header keywords in any FITS file
fitscopy - copies any FITS file (especially useful in conjunction
           with the CFITSIO's extended input filename syntax).
cookbook - a sample program that performs common read and
           write operations on a FITS file.

fitscopy can be used as an extraction tool to write out subsections of the data.
Tested it here as a simple file copier (which is redundant) and it worked.

$ fitscopy testprog.std dummy.fits
Comment 4 Len Lawrence 2019-03-30 23:57:16 CET
Note also that the fitstopnm command is supplied by a different package: netpbm.
Len Lawrence 2019-04-01 00:35:20 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-04-04 14:59:08 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2019-04-05 20:14:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0133.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.