[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1010060/cfitsio

Salvatore Bonaccorso carnil at debian.org
Tue Jul 16 20:24:07 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
437baa1d by Salvatore Bonaccorso at 2019-07-16T19:20:26Z
Add CVE-2019-1010060/cfitsio

After query to MITRE the reason behind that there is one additional CVE,
is that there were other security wise sensitive issues fixed in 3.43
but not covered by the CVEs  CVE-2018-3846, CVE-2018-3847,
CVE-2018-3848, and CVE-2018-3849. One example is given in the NOTE
itself.

The above CVEs were only to adress issues in the gphd, ffgtkn, ffgkyn,
ffghbn, and ffghtb functions. However, the upgrade from 3.42 to 3.43
also has many other changes.

As CVE-2019-1010060 mentions: "over 40 source code files were changed."

It is not woth trying to trackle all those for stretch (and probably
older). So marking stretch as no-dsa in accordance with the setting for
CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11116,8 +11116,14 @@ CVE-2019-1010062
 	RESERVED
 CVE-2019-1010061
 	RESERVED
-CVE-2019-1010060
+CVE-2019-1010060 [issues in cfitsio not covered by CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849]
 	RESERVED
+	- cfitsio 3.430-1 (low; bug #892458)
+	[stretch] - cfitsio <no-dsa> (Minor issue)
+	NOTE: The issue is specifically to other issues not covered by CVE-2018-3846,
+	NOTE: CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849 but fixed in 3.43. One
+	NOTE: example is ftp_status in drvrnet.c mishandling a long string beginning
+	NOTE: with a '4' character.
 CVE-2019-1010059
 	RESERVED
 CVE-2019-1010058



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/437baa1d52e7ab33eb248bd2358895e745ae5da3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/437baa1d52e7ab33eb248bd2358895e745ae5da3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190716/772b1f00/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list