[Debian-astro-maintainers] Bug#1076547: iraf-wcstools: Potential vulnerability due to similarity with CVE-2021-33797 in MuJS project
Garnik Khroyan
garnik645 at gmail.com
Thu Jul 18 11:59:05 BST 2024
Package: iraf-wcstools
Version: 3.9.6-1
Severity: important
X-Debbugs-Cc: garnik645 at gmail.com
Dear Maintainer,
I would like to report a potential security issue related to the iraf-wcstools
project.
The project currently includes a code fragment in the libwcs/str2dsun.c file
that is very similar to a vulnerable code fragment from the mujs project,
identified as CVE-2021-33797.
CVE-2021-33797 involves a buffer overflow in jsdtoa.c in the mujs project.
Given the similarity in codebases, it is possible that iraf-wcstools might also
be affected by this vulnerability.
My report is primarily based on a static analysis tool developed at CAST, which
flagged the potential vulnerability due to similarities in the codebase.
Thank you for your attention to this matter and for your dedication to ensuring
the security and stability of the project.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-35-generic (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iraf-wcstools depends on:
ii iraf 2.17-1
ii wcstools 3.9.6-1
iraf-wcstools recommends no packages.
iraf-wcstools suggests no packages.
-- no debconf information
More information about the Debian-astro-maintainers
mailing list