CFITSIO before version 3.43 unsafely uses sprintf() in multiple files without checking input size. A remote unauthenticated attacker could exploit this to execute arbitrary code.
Created cfitsio tracking bugs for this issue:
Affects: fedora-all [bug 1563915]
Affects: epel-all [bug 1563916]
Openshift Enterprise 2 is out of support scope. Marking it as wont fix.
The CVE-2018-1000166 is possibly a duplicate of CVE-2018-3846, CVE-2018-3848 and CVE-2018-3849.
(In reply to Salvatore Bonaccorso from comment #4)
> The CVE-2018-1000166 is possibly a duplicate of CVE-2018-3846, CVE-2018-3848
> and CVE-2018-3849.
Looks like you are correct. Changed CVE-2018-1000166 to CVE-2018-3846 and filed separate BZ for CVE-2018-3848 and CVE-2018-3849.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):