Bug#898135: bibutils: CVE-2018-10773 CVE-2018-10774 CVE-2018-10775

[Salvatore Bonaccorso]

Hi David,

On Mon, May 07, 2018 at 04:19:22PM -0300, David Bremner wrote:
> Salvatore Bonaccorso <carnil at debian.org> writes:
> 
> > Source: bibutils
> > Version: 6.2-1
> > Severity: normal
> > Tags: security upstream
> >
> > Hi,
> >
> > The following vulnerabilities were published for bibutils. This report
> > is to mainly make aware of the issues, I'm not sure if upstream were
> > made aware of those, as the CVE references by now just consist of
> > pointing to reproducers.
> >
> > CVE-2018-10773[0]:
> > | NULL pointer deference in the addsn function in serialno.c in
> > | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a
> > | denial of service (application crash), as demonstrated by copac2xml.
> >
> > CVE-2018-10774[1]:
> > | Read access violation in the isiin_keyword function in isiin.c in
> > | libbibutils.a in bibutils through 6.2 allows remote attackers to cause
> > | a denial of service (application crash), as demonstrated by isi2xml.
> >
> > CVE-2018-10775[2]:
> > | NULL pointer dereference in the _fields_add function in fields.c in
> > | libbibcore.a in bibutils through 6.2 allows remote attackers to cause a
> > | denial of service (application crash), as demonstrated by end2xml.
> >
> 
> Thanks for the report. The use of "remote attacker" seems odd to me,
> since bibutils does not provide any network functionality.

Note those are just the CVE descriptions from the MITRE database, it's
actually maybe even a bit of a stretch to call all those
vulnerabilities (rather than just bugs). I guess the reporter had in
mind a webexposed service which uses bibutils when requesting the CVE
and mentioning remote attacker and denial of service. My intention
was, given the reporter of those probably did not notify upstream,
upstream could be notified of those bugs at least via Debian. We have
marked all those arleady as "unimportant" in the security tracker.

Regards,
Salvatore