[Debian-med-packaging] Bug#1034805: fis-gtm: CVE-2021-44496 CVE-2021-44504
Moritz Mühlenhoff
jmm at inutil.org
Mon Apr 24 22:00:57 BST 2023
Source: fis-gtm
X-Debbugs-CC: team at security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerabilities were published for fis-gtm.
CVE-2021-44496[0]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can control the
| size variable and buffer that is passed to a call to memcpy. An
| attacker can use this to overwrite key data structures and gain
| control of the flow of execution.
http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html
https://gitlab.com/YottaDB/DB/YDB/-/issues/828
CVE-2021-44504[1]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a size
| variable, stored as an signed int, to equal an extremely large value,
| which is interpreted as a negative value during a check. This value is
| then used in a memcpy call on the stack, causing a memory segmentation
| fault.
http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html
https://gitlab.com/YottaDB/DB/YDB/-/issues/828
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-44496
https://www.cve.org/CVERecord?id=CVE-2021-44496
[1] https://security-tracker.debian.org/tracker/CVE-2021-44504
https://www.cve.org/CVERecord?id=CVE-2021-44504
Please adjust the affected versions in the BTS as needed.
More information about the Debian-med-packaging
mailing list