Source: igraph Version: 0.7.1-2.1 Severity: important Tags: patch security upstream Control: clone -1 -2 Control: reassign -2 src:r-cran-igraph 1.2.2-1 Control: retitle -2 r-cran-igraph: CVE-2018-20349 Control: forwarded -1 https://github.com/igraph/igraph/issues/1141
Hi, The following vulnerability was published for igraph. CVE-2018-20349[0]: | The igraph_i_strdiff function in igraph_trie.c in igraph through 0.7.1 | has an NULL pointer dereference that allows attackers to cause a denial | of service (application crash) via a crafted object. The uderlying issue seem to be to be triggered if there is a missing key attribute in a <data> tag, which the patch then will skip/ignore. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20349 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20349 [1] https://github.com/igraph/igraph/issues/1141 [2] https://github.com/igraph/igraph/commit/e3a9566e6463186230f215151b57b893df6d9ce2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
