Subject: iraf-wcstools: Potential vulnerability due to similarity with CVE-2021-33797 in MuJS project
Date: Thu, 18 Jul 2024 14:59:05 +0400
Package: iraf-wcstools
Version: 3.9.6-1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I would like to report a potential security issue related to the iraf-wcstools
project.
The project currently includes a code fragment in the libwcs/str2dsun.c file
that is very similar to a vulnerable code fragment from the mujs project,
identified as CVE-2021-33797.
CVE-2021-33797 involves a buffer overflow in jsdtoa.c in the mujs project.
Given the similarity in codebases, it is possible that iraf-wcstools might also
be affected by this vulnerability.
My report is primarily based on a static analysis tool developed at CAST, which
flagged the potential vulnerability due to similarities in the codebase.
Thank you for your attention to this matter and for your dedication to ensuring
the security and stability of the project.
-- System Information:
Debian Release: bookworm/sid
APT prefers jammy-updates
APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-35-generic (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages iraf-wcstools depends on:
ii iraf 2.17-1
ii wcstools 3.9.6-1
iraf-wcstools recommends no packages.
iraf-wcstools suggests no packages.
-- no debconf information
Acknowledgement sent
to Ole Streicher <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Astro Team <[email protected]>.
(Thu, 18 Jul 2024 12:21:03 GMT) (full text, mbox, link).
Subject: Fwd: Bug#1076547: iraf-wcstools: Potential vulnerability due to
similarity with CVE-2021-33797 in MuJS project
Date: Thu, 18 Jul 2024 14:17:06 +0200
Dear Jessica,
I just received a bug report about a potential security issue in the
wcstools package (resp. the libwcs library), which is attached below.
The URL for the bug report is <bugs.debian.org/1076547>.
The issue war originally covered in
<https://github.com/ccxvii/mujs/issues/148>, with a fix in
<https://github.com/ccxvii/mujs/commit/833b6f167>.
I think that the file libwcs/str2dsun.c is unused and not even compiled
in libwcs. It was introduced in the source code of version 3.7.8
(together with libwcs/str2dcpp.c) but was never mentioned in
libwcs/Makefile. It therefore should just be removed, right?
If not, the fix could be just taken over by wcstools. What do you think?
Best regards
Ole
-------- Forwarded Message --------
Subject: Bug#1076547: iraf-wcstools: Potential vulnerability due to
similarity with CVE-2021-33797 in MuJS project
Resent-Date: Thu, 18 Jul 2024 11:03:02 +0000
Resent-From: Garnik Khroyan <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected], Debian Astro Team
<[email protected]>
Date: Thu, 18 Jul 2024 14:59:05 +0400
From: Garnik Khroyan <[email protected]>
Reply-To: Garnik Khroyan <[email protected]>, [email protected]
To: Debian Bug Tracking System <[email protected]>
Package: iraf-wcstools
Version: 3.9.6-1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I would like to report a potential security issue related to the
iraf-wcstools project.
The project currently includes a code fragment in the libwcs/str2dsun.c
file that is very similar to a vulnerable code fragment from the mujs
project, identified as CVE-2021-33797.
CVE-2021-33797 involves a buffer overflow in jsdtoa.c in the mujs
project. Given the similarity in codebases, it is possible that
iraf-wcstools might also be affected by this vulnerability.
My report is primarily based on a static analysis tool developed at
CAST, which flagged the potential vulnerability due to similarities in
the codebase.
Thank you for your attention to this matter and for your dedication to
ensuring the security and stability of the project.
Acknowledgement sent
to Ole Streicher <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian Astro Team <[email protected]>.
(Thu, 18 Jul 2024 12:24:03 GMT) (full text, mbox, link).
Subject: Re: Bug#1076547: iraf-wcstools: Potential vulnerability due to
similarity with CVE-2021-33797 in MuJS project
Date: Thu, 18 Jul 2024 14:21:01 +0200
Control: forwarded -1 [email protected]
Dear Garnick,
I forwarded the bug to upstream. However, I think this does actually not
affect the wcstools package because this file is unused in the code. If
there is no contradicting reaction from upstream, I would just close
this bug (maybe while also explicitly removing there files in d/clean).
Best
Ole
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.