Author: jmm
Date: 2017-08-10 02:59:38 +0000 (Thu, 10 Aug 2017)
New Revision: 54504

Modified:
   data/CVE/list
Log:
podofo no-dsa
libsndfile no-dsa
libmad no-dsa
jasper n/a and unimportant
ruby-rack-cors n/a in jessie


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-08-10 02:53:14 UTC (rev 54503)
+++ data/CVE/list       2017-08-10 02:59:38 UTC (rev 54504)
@@ -2917,7 +2917,9 @@
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1471772
        TODO: check
 CVE-2017-11552 (The mad_decoder_run function in decoder.c in libmad 0.15.1b 
allows ...)
-       - libmad <unfixed> (bug #870406)
+       - libmad <unfixed> (low; bug #870406)
+       [stretch] - libmad <no-dsa> (Minor issue)
+       [jessie] - libmad <no-dsa> (Minor issue)
        NOTE: http://seclists.org/fulldisclosure/2017/Jul/94
 CVE-2017-11551 (The id3_field_parse function in field.c in libid3tag 0.15.1b 
allows ...)
        - libid3tag <unfixed> (bug #870333)
@@ -3862,6 +3864,8 @@
 CVE-2017-12562 (Heap-based Buffer Overflow in the psf_binheader_writef 
function in ...)
        {DLA-1049-1}
        - libsndfile 1.0.28-3 (bug #869166)
+       [stretch] - libsndfile <no-dsa> (Minor issue)
+       [jessie] - libsndfile <no-dsa> (Minor issue)
        NOTE: https://github.com/erikd/libsndfile/issues/292
        NOTE: 
https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
 CVE-2017-11196 (Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout 
function ...)
@@ -3916,6 +3920,7 @@
        NOT-FOR-US: XOOPS
 CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1 
allows a ...)
        - ruby-rack-cors 0.4.1-1
+       [jessie] - ruby-rack-cors <not-affected> (Vulnerable code not present)
 CVE-2017-11172
        RESERVED
 CVE-2017-1000096
@@ -10782,6 +10787,8 @@
        NOT-FOR-US: Accellion FTA devices
 CVE-2017-8787 (The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry 
function in ...)
        - libpodofo <unfixed> (bug #861738)
+       [stretch] - libpodofo <no-dsa> (Minor issue)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
        NOTE: Possible unspecified impact. Needs further analysis.
        NOTE: Proposed patch (for wheezy) attached to bug #861738.
@@ -11741,6 +11748,8 @@
        NOTE: Fixed by: 
http://git.qemu.org/?p=qemu.git;a=commit;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
 CVE-2017-8378 (Heap-based buffer overflow in the PdfParser::ReadObjects 
function in ...)
        - libpodofo <unfixed> (bug #861597)
+       [stretch] - libpodofo <no-dsa> (Minor issue)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
        NOTE: 
https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects
        NOTE: Proposed patch (for wheezy) attached to bug #861597.
@@ -12624,6 +12633,8 @@
        NOT-FOR-US: WatchGuard
 CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in 
PdfPageTree.cpp:464 ...)
        - libpodofo <unfixed> (bug #860995)
+       [stretch] - libpodofo <no-dsa> (Minor issue)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
        NOTE: The motivation for no-dsa in wheezy is that there are no known
        NOTE: services that use this library (apart from desktop applications)
@@ -12632,6 +12643,8 @@
        NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC
 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and 
stack ...)
        - libpodofo <unfixed> (bug #860994)
+       [stretch] - libpodofo <no-dsa> (Minor issue)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://openwall.com/lists/oss-security/2017/04/22/1
        NOTE: The motivation for no-dsa in wheezy is that there are no known
@@ -12757,6 +12770,7 @@
        NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033948
 CVE-2017-7994 (The function TextExtractor::ExtractText in TextExtractor.cpp:77 
in ...)
        - libpodofo <unfixed> (bug #860930)
+       [stretch] - libpodofo <no-dsa> (Minor issue)
        [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://github.com/icepng/PoC/tree/master/PoC1
@@ -14996,35 +15010,41 @@
 CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows 
remote ...)
        {DLA-968-1}
        - libpodofo 0.9.4-6 (bug #859329)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
        NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4
        NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows 
remote ...)
        {DLA-968-1}
        - libpodofo 0.9.4-6 (bug #859329)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
        NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3
        NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
 CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote 
attackers ...)
        {DLA-968-1}
        - libpodofo 0.9.4-6 (bug #859329)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
        NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2
        NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
 CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote 
attackers ...)
        {DLA-968-1}
        - libpodofo 0.9.4-6 (bug #859329)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
        NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1
        NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
 CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in 
...)
        {DLA-929-1}
        - libpodofo 0.9.4-5 (bug #859331)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/2
        NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/
 CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp 
in PoDoFo ...)
        {DLA-968-1}
        - libpodofo 0.9.4-6 (bug #859330)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1
        NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847
 CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in 
hw/9pfs/9p.c in ...)
@@ -21634,7 +21654,7 @@
        NOTE: https://github.com/mdadams/jasper/issues/89
        NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-5503 (The dec_clnpass function in libjasper/jpc/jpc_t1dec.c in JasPer 
...)
-       - jasper <removed>
+       - jasper <not-affected> (Vulnerable code introduced later)
        NOTE: 
https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-write-in-dec_clnpass-jpc_t1dec-c
        NOTE: https://github.com/mdadams/jasper/issues/90
 CVE-2017-5502 (libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote 
attackers to ...)
@@ -21644,10 +21664,11 @@
        NOTE: https://github.com/mdadams/jasper/issues/76
        NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-5501 (Integer overflow in libjasper/jpc/jpc_tsfb.c in JasPer 1.900.17 
allows ...)
-       - jasper <removed>
+       - jasper <removed> (unimportant)
        NOTE: Reproducer: 
https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c
        NOTE: 
http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/
        NOTE: https://github.com/mdadams/jasper/issues/70
+       NOTE: Only crashes with debug builds using ubsan
 CVE-2017-5500 (libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows remote 
attackers to ...)
        - jasper <removed> (unimportant)
        NOTE: Triggers an assert. Not suitable for code injection, hardly 
denial of service


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to