Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
98da9f80 by Salvatore Bonaccorso at 2021-02-18T07:31:45+01:00
Add CVE-2019-17582/libzip
Note that the reporter states "This use-after-free is triggered prior to
the double free reported in CVE-2017-12858." and a second CVE assigned.
Please double-check correctness of CVE-2019-17582 tracking.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -101523,7 +101523,11 @@ CVE-2019-17584 (The Meinberg SyncBox/PTP/PTPv2
devices have default SSH keys whi
CVE-2019-17583 (idreamsoft iCMS 7.0.15 allows remote attackers to cause a
denial of se ...)
NOT-FOR-US: idreamsoft iCMS
CVE-2019-17582 (A use-after-free in the _zip_dirent_read function of
zip_dirent.c in l ...)
- TODO: check
+ - libzip <not-affected> (Vulnerable code introduced later; and never in
a released version in Debian)
+ NOTE: Introduced after:
https://github.com/nih-at/libzip/commit/796c5968ad679220db3fb65ec6f48c66e554e5d5
(rel-1-2-0)
+ NOTE: Fixed by:
https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
(rel-1-3-0)
+ NOTE: Same fixing commit as CVE-2017-12858 apparently, but CVE
assignment for
+ NOTE: two different use-after-free issues.
CVE-2019-17581 (tonyy dormsystem through 1.3 allows DOM XSS. ...)
NOT-FOR-US: tonyy dormsystem
CVE-2019-17580 (tonyy dormsystem through 1.3 allows SQL Injection in
admin.php. ...)
@@ -221539,7 +221543,7 @@ CVE-2017-12859 (NetApp Data ONTAP before 8.2.5, when
operating in 7-Mode in NFS
CVE-2017-12858 (Double free vulnerability in the _zip_dirent_read function in
zip_dire ...)
- libzip <not-affected> (Vulnerable code introduced later)
NOTE: Introduced after:
https://github.com/nih-at/libzip/commit/796c5968ad679220db3fb65ec6f48c66e554e5d5
(rel-1-2-0)
- NOTE: Fixed by:
https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
+ NOTE: Fixed by:
https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796
(rel-1-3-0)
CVE-2017-12857 (Polycom SoundStation IP, VVX, and RealPresence Trio that are
running s ...)
NOT-FOR-US: Polycom
CVE-2017-12856 (Cross-site scripting (XSS) vulnerability in C.P.Sub 5.2 allows
remote ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98da9f80ddcab7227816413eae278672cab164f9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98da9f80ddcab7227816413eae278672cab164f9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
