Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
accb17ef by Helmut Grohne at 2023-01-10T11:59:40+01:00
triage leptonlib
* Remove a bunch of annotations that will end up conflicting with the
ELTS tracker.
* Note patch for CVE-2018-7442 and explain that it changes behaviour.
* Note that CVE-2018-7441 is not neutralized, remove unimportant, list
patches.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -325949,8 +325949,6 @@ CVE-2017-18190 (A localhost.localdomain whitelist
entry in valid_host() in sched
CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters
in a % ...)
{DLA-1302-1}
- leptonlib 1.75.3-2 (low; bug #890548)
- [stretch] - leptonlib <no-dsa> (Minor issue)
- [jessie] - leptonlib <no-dsa> (Minor issue)
NOTE:
https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for
Joomla! v ...)
NOT-FOR-US: Saxum Astro component for Joomla!
@@ -335436,17 +335434,19 @@ CVE-2018-3837 (An exploitable information
disclosure vulnerability exists in the
NOTE:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519
CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The
gplotMakeOutp ...)
- leptonlib 1.76.0-1 (bug #898439)
- [stretch] - leptonlib <no-dsa> (Minor issue)
- [jessie] - leptonlib <no-dsa> (Minor issue)
[wheezy] - leptonlib <ignored> (Minor issue)
NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html
+ NOTE:
https://github.com/DanBloomberg/leptonica/commit/24cca39cbeafd7943fb6ec723c9c1f525c24eb9f
+ NOTE: The patch deactivates debugging functions by default and thus
changes behaviour.
CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which
might al ...)
- - leptonlib 1.76.0-1 (unimportant)
+ - leptonlib 1.76.0-1
NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html
- NOTE: Neutralised by kernel hardening
+ NOTE: Not neutralised by kernel hardening, because subdirectories of
/tmp are not hardened
+ NOTE:
https://github.com/DanBloomberg/leptonica/commit/dcaf546c748aaf13fd14289677037e83d749455f
+ NOTE: The patch requires CVE-2018-7442 patch as underlying
infrastructure.
+ NOTE: The patch deactivates debugging functions by default and thus
changes behaviour.
CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing
duplicate ...)
- leptonlib 1.74.4-2 (low; bug #885704)
- [stretch] - leptonlib <no-dsa> (Minor issue)
[jessie] - leptonlib <not-affected> (Vulnerable code not present)
[wheezy] - leptonlib <not-affected> (Vulnerable code not present)
CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The
gplotMakeOutp ...)
@@ -335459,8 +335459,6 @@ CVE-2018-7440 (An issue was discovered in Leptonica
through 1.75.3. The gplotMak
CVE-2018-3836 (An exploitable command injection vulnerability exists in the
gplotMake ...)
{DLA-1284-1}
- leptonlib 1.75.3-1 (bug #889759)
- [stretch] - leptonlib <no-dsa> (Minor issue)
- [jessie] - leptonlib <no-dsa> (Minor issue)
NOTE:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
NOTE: https://github.com/DanBloomberg/leptonica/issues/303
NOTE: When fixing this issue make sure the fix is complete and includes
as well
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
