[Debian-med-packaging] Bug#917211: igraph: CVE-2018-20349
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 24 08:13:02 GMT 2018
Source: igraph
Version: 0.7.1-2.1
Severity: important
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:r-cran-igraph 1.2.2-1
Control: retitle -2 r-cran-igraph: CVE-2018-20349
Control: forwarded -1 https://github.com/igraph/igraph/issues/1141
Hi,
The following vulnerability was published for igraph.
CVE-2018-20349[0]:
| The igraph_i_strdiff function in igraph_trie.c in igraph through 0.7.1
| has an NULL pointer dereference that allows attackers to cause a denial
| of service (application crash) via a crafted object.
The uderlying issue seem to be to be triggered if there is a missing key
attribute in a <data> tag, which the patch then will skip/ignore.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20349
[1] https://github.com/igraph/igraph/issues/1141
[2] https://github.com/igraph/igraph/commit/e3a9566e6463186230f215151b57b893df6d9ce2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Debian-med-packaging
mailing list