Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: b8a54735 by Markus Koschany at 2019-11-10T17:32:17Z Triage CVE for libgig. Mark as no-dsa for Jessie. Minor security risk. See #931309 for more information. - - - - - 8589d5e5 by Markus Koschany at 2019-11-10T17:33:40Z Remove libgig from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -60594,21 +60594,27 @@ CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index NOT-FOR-US: REDAXO CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] fa ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18195 (An issue was discovered in libgig 4.1.0. There is an FPE (divide-by-ze ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18194 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] failu ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer deref ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member ...) NOT-FOR-US: FineCms @@ -70348,36 +70354,47 @@ CVE-2018-14460 (An issue was discovered in the HDF HDF5 1.8.20 library. There is NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md CVE-2018-14459 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14458 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14457 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14456 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14455 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14454 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14453 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14452 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14451 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14450 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14449 (An issue was discovered in libgig 4.1.0. There is an out of bounds rea ...) - libgig <unfixed> (bug #931309) + [jessie] - libgig <no-dsa> (Minor issue) NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md CVE-2018-14448 (Codec::parse in track.cpp in Untrunc through 2018-06-07 has a NULL poi ...) - untrunc <itp> (bug #702476) ===================================== data/dla-needed.txt ===================================== @@ -53,10 +53,6 @@ libav (Sylvain Beucler) NOTE: 20190831: might fix the issue. Furthermore, most libav bugs have PoCs, NOTE: 20190831: so there is something one can test with and see if the fix worked. -- -libgig (Markus Koschany) - NOTE: 20191103: Contacted upstream for undetermined CVE. They have not been - NOTE: fixed yet. I am currently investigating how serious they are. --- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e472d2696baf190f244b6beb6d90236668581ba7...8589d5e5a7a0fb0197c7d22bb85e0f6ce9fc4f92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e472d2696baf190f244b6beb6d90236668581ba7...8589d5e5a7a0fb0197c7d22bb85e0f6ce9fc4f92 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits