Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f6dd99b0 by Salvatore Bonaccorso at 2018-03-02T20:24:16+01:00
Update status for CVE-2018-7440 and CVE-2018-3836

Since the incomplete fix for CVE-2018-3836 was not applied to stretch
and jessie, mark those versions as not affected (with explanation). Add
a note to CVE-2018-3836 to make sure the issue is completely fixed
if/once it's adressed for stretch and jessie.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -9854,6 +9854,8 @@ CVE-2017-18196 (Leptonica 1.74.4 constructs unintended 
pathnames (containing dup
        - leptonlib 1.74.4-2 (bug #885704)
 CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...)
        - leptonlib <unfixed> (bug #891932)
+       [stretch] - leptonlib <not-affected> (Incomplete fix for CVE-2018-3836 
not applied)
+       [jessie] - leptonlib <not-affected> (Incomplete fix for CVE-2018-3836 
not applied)
        NOTE: 
https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212
        NOTE: 
https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
 CVE-2018-3836 [gplotMakeOutput Command Injection Vulnerability]
@@ -9862,6 +9864,9 @@ CVE-2018-3836 [gplotMakeOutput Command Injection 
Vulnerability]
        - leptonlib 1.75.3-1 (bug #889759)
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
        NOTE: https://github.com/DanBloomberg/leptonica/issues/303
+       NOTE: When fixing this issue make sure the fix is complete and includes 
as well
+       NOTE: 
https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
+       NOTE: to not open CVE-2018-7440.
 CVE-2018-3835 (An exploitable out of bounds write vulnerability exists in 
version 2.2 ...)
        NOT-FOR-US: Per Face Texture (PTEX)
 CVE-2018-3834



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6dd99b0c59554e0f0a8073f6bb13b1903897810

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6dd99b0c59554e0f0a8073f6bb13b1903897810
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to