Your message dated Sun, 28 Aug 2022 17:00:11 +0000
with message-id <e1osldr-00giuz...@fasolo.debian.org>
and subject line Bug#1009900: fixed in fis-gtm 7.0-002-1
has caused the Debian Bug report #1009900,
regarding fis-gtm: Multiple CVEs in fis-gtm
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1009900: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009900
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: fis-gtm
Version: 6.3-014-3
Severity: important
Tags: security
X-Debbugs-Cc: codeh...@debian.org, Debian Security Team
<t...@security.debian.org>
Hi,
The following vulnerabilities were published for fis-gtm.
CVE-2021-44492[0]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, attackers can cause a type
| to be incorrectly initialized in the function f_incr in
| sr_port/f_incr.c and cause a crash due to a NULL pointer dereference.
CVE-2021-44493[1]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, an attacker can cause a
| call to $Extract to force an signed integer holding the size of a
| buffer to take on a large negative number, which is then used as the
| length of a memcpy call that occurs on the stack, causing a buffer
| overflow.
CVE-2021-44494[2]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, an attacker can cause
| calls to ZRead to crash due to a NULL pointer dereference.
CVE-2021-44495[3]:
| An issue was discovered in YottaDB through r1.32 and V7.0-000 and FIS
| GT.M through V7.0-000. Using crafted input, an attacker can cause a
| NULL pointer dereference after calls to ZPrint.
CVE-2021-44496[4]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can control the
| size variable and buffer that is passed to a call to memcpy. An
| attacker can use this to overwrite key data structures and gain
| control of the flow of execution.
CVE-2021-44497[5]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, can cause the bounds of a for
| loop to be miscalculated, which leads to a use after free condition a
| pointer is pushed into previously free memory by the loop.
CVE-2021-44498[6]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, attackers can cause a type to
| be incorrectly initialized in the function f_incr in sr_port/f_incr.c
| and cause a crash due to a NULL pointer dereference.
CVE-2021-44499[7]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a call
| to $Extract to force an signed integer holding the size of a buffer to
| take on a large negative number, which is then used as the length of a
| memcpy call that occurs on the stack, causing a buffer overflow.
CVE-2021-44500[8]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of input validation in calls to eb_div in
| sr_port/eb_muldiv.c allows attackers to crash the application by
| performing a divide by zero.
CVE-2021-44501[9]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause calls
| to ZRead to crash due to a NULL pointer dereference.
CVE-2021-44502[10]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can control the
| size of a memset that occurs in calls to util_format in
| sr_unix/util_output.c.
CVE-2021-44503[11]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a call
| to va_arg on an empty variadic parameter list, most likely causing a
| memory segmentation fault.
CVE-2021-44504[12]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a size
| variable, stored as an signed int, to equal an extremely large value,
| which is interpreted as a negative value during a check. This value is
| then used in a memcpy call on the stack, causing a memory segmentation
| fault.
CVE-2021-44505[13]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, an attacker can cause a NULL
| pointer dereference after calls to ZPrint.
CVE-2021-44506[14]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of input validation in calls to do_verify
| in sr_unix/do_verify.c allows attackers to attempt to jump to a NULL
| pointer by corrupting a function pointer.
CVE-2021-44507[15]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of parameter validation in calls to memcpy
| in str_tok in sr_unix/ztimeoutroutines.c allows attackers to attempt
| to read from a NULL pointer.
CVE-2021-44508[16]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). A lack of NULL checks in calls to ious_open in
| sr_unix/ious_open.c allows attackers to crash the application by
| dereferencing a NULL pointer.
CVE-2021-44509[17]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, attackers can cause an
| integer underflow of the size of calls to memset in op_fnj3 in
| sr_port/op_fnj3.c in order to cause a segmentation fault and crash the
| application.
CVE-2021-44510[18]:
| An issue was discovered in FIS GT.M through V7.0-000 (related to the
| YottaDB code base). Using crafted input, attackers can cause a
| calculation of the size of calls to memset in op_fnj3 in
| sr_port/op_fnj3.c to result in an extremely large value in order to
| cause a segmentation fault and crash the application.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-44492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44492
[1] https://security-tracker.debian.org/tracker/CVE-2021-44493
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44493
[2] https://security-tracker.debian.org/tracker/CVE-2021-44494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44494
[3] https://security-tracker.debian.org/tracker/CVE-2021-44495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44495
[4] https://security-tracker.debian.org/tracker/CVE-2021-44496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44496
[5] https://security-tracker.debian.org/tracker/CVE-2021-44497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44497
[6] https://security-tracker.debian.org/tracker/CVE-2021-44498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44498
[7] https://security-tracker.debian.org/tracker/CVE-2021-44499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44499
[8] https://security-tracker.debian.org/tracker/CVE-2021-44500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44500
[9] https://security-tracker.debian.org/tracker/CVE-2021-44501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44501
[10] https://security-tracker.debian.org/tracker/CVE-2021-44502
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44502
[11] https://security-tracker.debian.org/tracker/CVE-2021-44503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44503
[12] https://security-tracker.debian.org/tracker/CVE-2021-44504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44504
[13] https://security-tracker.debian.org/tracker/CVE-2021-44505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44505
[14] https://security-tracker.debian.org/tracker/CVE-2021-44506
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44506
[15] https://security-tracker.debian.org/tracker/CVE-2021-44507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44507
[16] https://security-tracker.debian.org/tracker/CVE-2021-44508
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44508
[17] https://security-tracker.debian.org/tracker/CVE-2021-44509
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44509
[18] https://security-tracker.debian.org/tracker/CVE-2021-44510
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44510
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: fis-gtm
Source-Version: 7.0-002-1
Done: Amul Shah <amul.s...@fisglobal.com>
We believe that the bug you reported is fixed in the latest version of
fis-gtm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1009...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Amul Shah <amul.s...@fisglobal.com> (supplier of updated fis-gtm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 31 May 2022 11:56:33 -0400
Source: fis-gtm
Binary: fis-gtm fis-gtm-7.0 fis-gtm-7.0-dbgsym
Architecture: source amd64
Version: 7.0-002-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<debian-med-packag...@lists.alioth.debian.org>
Changed-By: Amul Shah <amul.s...@fisglobal.com>
Description:
fis-gtm - metapackage for the latest version of FIS-GT.M database
fis-gtm-7.0 - FIS-GT.M database version 7.0-002
Closes: 1009900 1011722
Changes:
fis-gtm (7.0-002-1) unstable; urgency=medium
.
[ Amul Shah ]
* Update to GT.M V7.0-002
Closes: #1009900
Closes: #1011722
* Adjust gtminstall parameters to fix installation
.
[ Andreas Tille ]
* Standards-Version: 4.6.1 (routine-update)
* Simplify naming scheme of binary packages to just major.minor without
the '-micro' part.
* Adapt creation of lintian-overrides to new lintan warning syntax
* Add some more lintian-overrides
Checksums-Sha1:
ba03a631e820b199a227a3c90545135a05ad9537 2314 fis-gtm_7.0-002-1.dsc
5c4c799fd836941bd50729a923c0e12460738219 6077409 fis-gtm_7.0-002.orig.tar.gz
3d371504d62db055bae173d954e422120f0c7b7c 24052 fis-gtm_7.0-002-1.debian.tar.xz
fab97f6f12c9d3095304ed2d04d7897c36d896bd 24827408
fis-gtm-7.0-dbgsym_7.0-002-1_amd64.deb
337f1e3b379993ffecc5c1d7bd01d46fd8402c1a 13172428
fis-gtm-7.0_7.0-002-1_amd64.deb
e5e730188ba8e66b762e9dbb41492238f600d7b5 9430 fis-gtm_7.0-002-1_amd64.buildinfo
470df3eb1bb276695b33956aa0b44172d5497060 22396 fis-gtm_7.0-002-1_amd64.deb
Checksums-Sha256:
9054abb167120fed7a836cdfe71b2133456a5dbd2e25a11f8782de1c4b78212d 2314
fis-gtm_7.0-002-1.dsc
9fa33fc8f598988727ef0f6a3284b2d82aa99efca673f8bdd039b9094ff90b31 6077409
fis-gtm_7.0-002.orig.tar.gz
491dfc2c76fc2c1b454afa8aa2b7b10c05001ddad02de1d59f3d7d0f298f4cb6 24052
fis-gtm_7.0-002-1.debian.tar.xz
e6a46c38a3b1b15dfe7086cb0383d57e522785c2579d515cc4f082a4ba0349bf 24827408
fis-gtm-7.0-dbgsym_7.0-002-1_amd64.deb
f459f8f39d994c20b237934c8ffb0d9be6b609e450f97c08cd98ebb86f6ad1d5 13172428
fis-gtm-7.0_7.0-002-1_amd64.deb
386990a669761adeecd40ab09b38a1bbce88ab6ccdac3833ec6570fe57dc5f16 9430
fis-gtm_7.0-002-1_amd64.buildinfo
a48ec8d9ff46a93a0ed39564f5ab7357762c22833331fdc971f1ea16e12608e3 22396
fis-gtm_7.0-002-1_amd64.deb
Files:
d6c6f3c35db7197ffb07edb80c71fc42 2314 database optional fis-gtm_7.0-002-1.dsc
0dba1cff3aa8157f700fa9c416aebb1b 6077409 database optional
fis-gtm_7.0-002.orig.tar.gz
b0656f1d3931c1e103c6d85e688777da 24052 database optional
fis-gtm_7.0-002-1.debian.tar.xz
42d9031d1b78435a62f47d0fe8e5b14d 24827408 debug optional
fis-gtm-7.0-dbgsym_7.0-002-1_amd64.deb
9b37d58d58e29bcfb789141ba4a186b1 13172428 database optional
fis-gtm-7.0_7.0-002-1_amd64.deb
028e5cc5e1897409e0e4d2f6bf207b61 9430 database optional
fis-gtm_7.0-002-1_amd64.buildinfo
3b50e1953044e13eee8291961617ce91 22396 database optional
fis-gtm_7.0-002-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmMGSEgRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtFn9Q/+J5jOZXx3TulpcG4XkDIYYmMWbcdh9GaM
eSAJpP4g+hN/0h0plgFL9mE8T3dConY1XdE/ABXf4V/KJ8Zb//3FAb3T5Ftg1pLe
KAb49ma2M/9CAR4Ub9iACMkIRiLkkC+LRC46Y8s4c2htUATX+zthN++GtpGDlfX3
xU7BGdjM4q2yOo2MoicvQ5WcdcsorAtoEN1E/07KrQp3QFphHYYB4+3zOJ4sPiRp
FLySDbpAfcbQ6tVBfitiEj8xYRkr66zRV/4bTfKf7DCIvHMVfddMSqxhzvITMP4X
fsuKep5Aj/l5zjQAgOW/VXYJf8yA/5X0nZATzAQjSDNAJH/dXB0+7wytObYLxTLF
Wpd1j+aGVshrQPRmIBeI4QTAQRZMpZRJMtYaJidtbWiEpVdTSoBUsMfHbZ1GzySD
v+jZL4FKs2DzSv/I3xEdhg1z4xyO6p8UmmnuWnM4CWc1bw+XLWLKXm5cgWBRMTU5
jU3hsCNQvKT/S2ddDuWwy7H4Lit0AMbkCh/fOazls14ffFGWyEwIQF7a54EtmX/Z
XG+6ApH0FtlRC11pKOBxnec+7IkadsD1C8ef43fyYrn8UiIoGdTJndUiy2t3psFJ
/fEeBh4wCFZpU9bTY5C8MLWfhR/ikv2ACUMYgOaQHMGWQI88xprZ/FOrFbjlhIAG
PYL+mEiSAjw=
=ez/V
-----END PGP SIGNATURE-----
pgpeElNTzTrTH.pgp
Description: PGP signature
--- End Message ---
