[Debian-astro-maintainers] Bug#1076547: Fwd: Bug#1076547: iraf-wcstools: Potential vulnerability due to similarity with CVE-2021-33797 in MuJS project

Ole Streicher olebole at debian.org
Thu Jul 18 13:17:06 BST 2024 

Dear Jessica,

I just received a bug report about a potential security issue in the 
wcstools package (resp. the libwcs library), which is attached below. 
The URL for the bug report is <bugs.debian.org/1076547>.

The issue war originally covered in 
<https://github.com/ccxvii/mujs/issues/148>, with a fix in 
<https://github.com/ccxvii/mujs/commit/833b6f167>.

I think that the file libwcs/str2dsun.c is unused and not even compiled 
in libwcs. It was introduced in the source code of version 3.7.8 
(together with libwcs/str2dcpp.c) but was never mentioned in 
libwcs/Makefile. It therefore should just be removed, right?

If not, the fix could be just taken over by wcstools. What do you think?

Best regards

Ole


-------- Forwarded Message --------
Subject: Bug#1076547: iraf-wcstools: Potential vulnerability due to
similarity with CVE-2021-33797 in MuJS project
Resent-Date: Thu, 18 Jul 2024 11:03:02 +0000
Resent-From: Garnik Khroyan <garnik645 at gmail.com>
Resent-To: debian-bugs-dist at lists.debian.org
Resent-CC: garnik645 at gmail.com, Debian Astro Team
<debian-astro-maintainers at lists.alioth.debian.org>
Date: Thu, 18 Jul 2024 14:59:05 +0400
From: Garnik Khroyan <garnik645 at gmail.com>
Reply-To: Garnik Khroyan <garnik645 at gmail.com>, 1076547 at bugs.debian.org
To: Debian Bug Tracking System <submit at bugs.debian.org>

Package: iraf-wcstools
Version: 3.9.6-1
Severity: important
X-Debbugs-Cc: garnik645 at gmail.com

Dear Maintainer,

I would like to report a potential security issue related to the
iraf-wcstools project.
The project currently includes a code fragment in the libwcs/str2dsun.c 
file that is very similar to a vulnerable code fragment from the mujs 
project, identified as CVE-2021-33797.

CVE-2021-33797 involves a buffer overflow in jsdtoa.c in the mujs 
project. Given the similarity in codebases, it is possible that 
iraf-wcstools might also be affected by this vulnerability.

My report is primarily based on a static analysis tool developed at
CAST, which flagged the potential vulnerability due to similarities in 
the codebase.

Thank you for your attention to this matter and for your dedication to
ensuring the security and stability of the project.

More information about the Debian-astro-maintainers mailing list