Package: iraf-wcstools Version: 3.9.6-1 Severity: important X-Debbugs-Cc: garnik...@gmail.com
Dear Maintainer, I would like to report a potential security issue related to the iraf-wcstools project. The project currently includes a code fragment in the libwcs/str2dsun.c file that is very similar to a vulnerable code fragment from the mujs project, identified as CVE-2021-33797. CVE-2021-33797 involves a buffer overflow in jsdtoa.c in the mujs project. Given the similarity in codebases, it is possible that iraf-wcstools might also be affected by this vulnerability. My report is primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase. Thank you for your attention to this matter and for your dedication to ensuring the security and stability of the project. -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.5.0-35-generic (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages iraf-wcstools depends on: ii iraf 2.17-1 ii wcstools 3.9.6-1 iraf-wcstools recommends no packages. iraf-wcstools suggests no packages. -- no debconf information
