[Git][security-tracker-team/security-tracker][master] Expand note for CVE-2018-7263

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3508be63 by Salvatore Bonaccorso at 2018-05-01T05:44:39+02:00
Expand note for CVE-2018-7263

Back in february 2018, this was tried to be clarified with MITRE.
Basically there are two CVE assignments left, and CVE-2018-7263 not
marked as duplicate of CVE-2017-11552 (but instead used the formulateion
"this might overlap with ...") because tere was no clear proof that 
they
are exactly the same errors. Futher it was stated "However, if there are
two different code paths by which libmad is used incorrectly, and both
code paths result in "double free or corruption" errors, then we would
represent this with two CVEs."

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -8507,7 +8507,13 @@ CVE-2004-2779 (id3_utf16_deserialize() in utf16.c in 
libid3tag through 0.15.1b .
        NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=162647
        NOTE: 
https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/
 CVE-2018-7263 (The mad_decoder_run() function in decoder.c in Underbit libmad 
through ...)
-       NOTE: Seems like a duplicate of CVE-2017-11552
+       NOTE: Seems like a duplicate of CVE-2017-11552 relates to the issue 
raised in
+       NOTE: https://bugs.debian.org/870608
+       NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1081784
+       NOTE: MITRE stated, that "[...] However, if there are two different code
+       NOTE: paths by which libmad is used incorrectly, and both code paths 
result
+       NOTE: in "double free or corruption" errors, then we would represent 
this
+       NOTE: with two CVEs."
 CVE-2018-7262 (In Ceph before 12.2.3 and 13.x through 13.0.1, the 
rgw_civetweb.cc ...)
        - ceph <not-affected> (Issue introduced later)
        NOTE: See details in https://bugs.debian.org/891963#15 . Ceph as 
present in



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3508be63b51341a257ad4dd6ac446ad0c5675da0

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3508be63b51341a257ad4dd6ac446ad0c5675da0
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits