Bug#898135: bibutils: CVE-2018-10773 CVE-2018-10774 CVE-2018-10775
David Bremner
david at tethera.net
Mon May 7 20:19:22 BST 2018
Salvatore Bonaccorso <carnil at debian.org> writes:
> Source: bibutils
> Version: 6.2-1
> Severity: normal
> Tags: security upstream
>
> Hi,
>
> The following vulnerabilities were published for bibutils. This report
> is to mainly make aware of the issues, I'm not sure if upstream were
> made aware of those, as the CVE references by now just consist of
> pointing to reproducers.
>
> CVE-2018-10773[0]:
> | NULL pointer deference in the addsn function in serialno.c in
> | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a
> | denial of service (application crash), as demonstrated by copac2xml.
>
> CVE-2018-10774[1]:
> | Read access violation in the isiin_keyword function in isiin.c in
> | libbibutils.a in bibutils through 6.2 allows remote attackers to cause
> | a denial of service (application crash), as demonstrated by isi2xml.
>
> CVE-2018-10775[2]:
> | NULL pointer dereference in the _fields_add function in fields.c in
> | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a
> | denial of service (application crash), as demonstrated by end2xml.
>
Thanks for the report. The use of "remote attacker" seems odd to me,
since bibutils does not provide any network functionality.
d
More information about the debian-science-maintainers
mailing list