[Secure-testing-commits] r49637 - in data: CVE DLA

Salvatore Bonaccorso Mon, 13 Mar 2017 04:28:54 -0700

Author: carnil
Date: 2017-03-13 11:28:40 +0000 (Mon, 13 Mar 2017)
New Revision: 49637


Modified:
   data/CVE/list
   data/DLA/list
Log:
CVE-2016-10249/jasper assigned

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-03-13 11:25:58 UTC (rev 49636)
+++ data/CVE/list       2017-03-13 11:28:40 UTC (rev 49637)
@@ -58,8 +58,6 @@
        RESERVED
 CVE-2016-10250
        RESERVED
-CVE-2016-10249
-       RESERVED
 CVE-2016-10248 [NULL pointer dereference in jpc_tsfb_synthesize (jpc_tsfb.c)]
        RESERVED
        - jasper <removed>
@@ -19945,14 +19943,12 @@
        NOTE: This is strongly related to the problem described in 
CVE-2016-7543 and the correction
        NOTE: is very similar.
        NOTE: https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html
-CVE-2016-XXXX [heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)]
+CVE-2016-10249 [heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)]
        - jasper <removed>
-       [wheezy] - jasper 1.900.1-13+deb7u5
-       NOTE: Workaround entry for DLA-739-1 until CVE is assigned
        NOTE: Fixed by: 
https://github.com/mdadams/jasper/commit/988f8365f7d8ad8073b6786e433d34c553ecf568
 (version-1.900.12)
        NOTE: 
https://blogs.gentoo.org/ago/2016/10/23/jasper-heap-based-buffer-overflow-in-jpc_dec_tiledecode-jpc_dec-c/
        NOTE: Reproducer: 
https://github.com/asarubbo/poc/blob/master/00001-jasper-heapoverflow-jpc_dec_tiledecode
-       NOTE: CVE Request: 
http://www.openwall.com/lists/oss-security/2016/10/23/7
+       NOTE: http://www.openwall.com/lists/oss-security/2016/10/23/7
 CVE-2016-XXXX [NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) 
(incomplete fix for CVE-2016-8887)]
        - jasper <not-affected> (Incomplete fix for CVE-206-8887 not applied)
        NOTE: Reproducer: 
https://github.com/asarubbo/poc/blob/master/00002-jasper-NULLptr-jp2_colr_destroy

Modified: data/DLA/list
===================================================================
--- data/DLA/list       2017-03-13 11:25:58 UTC (rev 49636)
+++ data/DLA/list       2017-03-13 11:28:40 UTC (rev 49637)
@@ -370,7 +370,7 @@
 [11 Dec 2016] DLA-731-2 imagemagick - regression update
        [wheezy] - imagemagick 8:6.7.7.10-5+deb7u9
 [10 Dec 2016] DLA-739-1 jasper - security update
-       {CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8882 
CVE-2016-8883 CVE-2016-8887 CVE-2016-9560}
+       {CVE-2016-8654 CVE-2016-8691 CVE-2016-8692 CVE-2016-8693 CVE-2016-8882 
CVE-2016-8883 CVE-2016-8887 CVE-2016-9560 CVE-2016-10249}
        [wheezy] - jasper 1.900.1-13+deb7u5
 [08 Dec 2016] DLA-738-1 spip - security update
        {CVE-2016-9152}


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49637 - in data: CVE DLA

Reply via email to