[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-19847/libspiro

Mon, 23 Dec 2019 07:59:56 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4d5e37e0 by Salvatore Bonaccorso at 2019-12-23T15:57:31Z
Update information on CVE-2019-19847/libspiro

The issue is actually in an exported function, spiro_to_bpath0, but it's
not in the 'advertised' API. Cf.
https://github.com/fontforge/libspiro/issues/21#issuecomment-567983822 .
But no users seem present of the respective problematic function and as
such opted to mark it with negligible impact.

Safer might be to actually revert this, and mark it no-dsa.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -875,9 +875,11 @@ CVE-2019-19849 (An issue was discovered in TYPO3 before 
8.7.30, 9.x before 9.5.1
 CVE-2019-19848 (An issue was discovered in TYPO3 before 8.7.30, 9.x before 
9.5.12, and ...)
        NOT-FOR-US: TYPO3
 CVE-2019-19847 (Libspiro through 20190731 has a stack-based buffer overflow in 
the spi ...)
-       - libspiro <unfixed>
+       - libspiro <unfixed> (unimportant)
        [jessie] - libspiro <not-affected> (Vulnerable code not present)
        NOTE: https://github.com/fontforge/libspiro/issues/21
+       NOTE: 
https://github.com/fontforge/libspiro/issues/21#issuecomment-567983822
+       NOTE: 
https://github.com/fontforge/libspiro/commit/35233450c922787dad42321e359e5229ff470a1e
 CVE-2019-19846 (In Joomla! before 3.9.14, the lack of validation of 
configuration para ...)
        NOT-FOR-US: Joomla!
 CVE-2019-19845 (In Joomla! before 3.9.14, a missing access check in framework 
files co ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d5e37e0dc075b6da390cac870875b602f2be191

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d5e37e0dc075b6da390cac870875b602f2be191
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to