[Debian-med-packaging] Bug#1009900: fis-gtm: Multiple CVEs in fis-gtm

Wed Apr 20 11:13:31 BST 2022

Source: fis-gtm
Version: 6.3-014-3
Severity: important
Tags: security
X-Debbugs-Cc: codehelp at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for fis-gtm.

CVE-2021-44492[0]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, attackers can cause a type
| to be incorrectly initialized in the function f_incr in
| sr_port/f_incr.c and cause a crash due to a NULL pointer dereference.

CVE-2021-44493[1]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, an attacker can cause a
| call to $Extract to force an signed integer holding the size of a
| buffer to take on a large negative number, which is then used as the
| length of a memcpy call that occurs on the stack, causing a buffer
| overflow.

CVE-2021-44494[2]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, an attacker can cause
| calls to ZRead to crash due to a NULL pointer dereference.

CVE-2021-44495[3]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, an attacker can cause a
| NULL pointer dereference after calls to ZPrint.

CVE-2021-44496[4]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can control the
| size variable and buffer that is passed to a call to memcpy. An
| attacker can use this to overwrite key data structures and gain
| control of the flow of execution.

CVE-2021-44497[5]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, can cause the bounds of a for
| loop to be miscalculated, which leads to a use after free condition a
| pointer is pushed into previously free memory by the loop.

CVE-2021-44498[6]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, attackers can cause a type to
| be incorrectly initialized in the function f_incr in sr_port/f_incr.c
| and cause a crash due to a NULL pointer dereference.

CVE-2021-44499[7]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a call
| to $Extract to force an signed integer holding the size of a buffer to
| take on a large negative number, which is then used as the length of a
| memcpy call that occurs on the stack, causing a buffer overflow.

CVE-2021-44500[8]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of input validation in calls to eb_div in
| sr_port/eb_muldiv.c allows attackers to crash the application by
| performing a divide by zero.

CVE-2021-44501[9]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause calls
| to ZRead to crash due to a NULL pointer dereference.

CVE-2021-44502[10]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can control the
| size of a memset that occurs in calls to util_format in
| sr_unix/util_output.c.

CVE-2021-44503[11]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a call
| to va_arg on an empty variadic parameter list, most likely causing a
| memory segmentation fault.

CVE-2021-44504[12]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a size
| variable, stored as an signed int, to equal an extremely large value,
| which is interpreted as a negative value during a check. This value is
| then used in a memcpy call on the stack, causing a memory segmentation
| fault.

CVE-2021-44505[13]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a NULL
| pointer dereference after calls to ZPrint.

CVE-2021-44506[14]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of input validation in calls to do_verify
| in sr_unix/do_verify.c allows attackers to attempt to jump to a NULL
| pointer by corrupting a function pointer.

CVE-2021-44507[15]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of parameter validation in calls to memcpy
| in str_tok in sr_unix/ztimeoutroutines.c allows attackers to attempt
| to read from a NULL pointer.

CVE-2021-44508[16]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of NULL checks in calls to ious_open in
| sr_unix/ious_open.c allows attackers to crash the application by
| dereferencing a NULL pointer.

CVE-2021-44509[17]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, attackers can cause an
| integer underflow of the size of calls to memset in op_fnj3 in
| sr_port/op_fnj3.c in order to cause a segmentation fault and crash the
| application.

CVE-2021-44510[18]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, attackers can cause a
| calculation of the size of calls to memset in op_fnj3 in
| sr_port/op_fnj3.c to result in an extremely large value in order to
| cause a segmentation fault and crash the application.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-44492
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44492
[1] https://security-tracker.debian.org/tracker/CVE-2021-44493
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44493
[2] https://security-tracker.debian.org/tracker/CVE-2021-44494
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44494
[3] https://security-tracker.debian.org/tracker/CVE-2021-44495
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44495
[4] https://security-tracker.debian.org/tracker/CVE-2021-44496
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44496
[5] https://security-tracker.debian.org/tracker/CVE-2021-44497
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44497
[6] https://security-tracker.debian.org/tracker/CVE-2021-44498
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44498
[7] https://security-tracker.debian.org/tracker/CVE-2021-44499
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44499
[8] https://security-tracker.debian.org/tracker/CVE-2021-44500
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44500
[9] https://security-tracker.debian.org/tracker/CVE-2021-44501
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44501
[10] https://security-tracker.debian.org/tracker/CVE-2021-44502
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44502
[11] https://security-tracker.debian.org/tracker/CVE-2021-44503
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44503
[12] https://security-tracker.debian.org/tracker/CVE-2021-44504
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44504
[13] https://security-tracker.debian.org/tracker/CVE-2021-44505
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44505
[14] https://security-tracker.debian.org/tracker/CVE-2021-44506
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44506
[15] https://security-tracker.debian.org/tracker/CVE-2021-44507
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44507
[16] https://security-tracker.debian.org/tracker/CVE-2021-44508
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44508
[17] https://security-tracker.debian.org/tracker/CVE-2021-44509
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44509
[18] https://security-tracker.debian.org/tracker/CVE-2021-44510
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44510

Please adjust the affected versions in the BTS as needed.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.16.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled