[Git][security-tracker-team/security-tracker][master] new rar, darktable, photoflow issues

Thu, 01 Jul 2021 02:05:43 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ba911e8a by Moritz Muehlenhoff at 2021-07-01T11:04:59+02:00
new rar, darktable, photoflow issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -80,15 +80,25 @@ CVE-2020-36396
 CVE-2020-36395
        RESERVED
 CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in 
asn1_item_pr ...)
-       TODO: check
+       NOT-FOR-US: LibreSSL
 CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read 
in do_p ...)
-       TODO: check
+       NOT-FOR-US: LibreSSL
 CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds 
write durin ...)
-       TODO: check
+       - unrar-nonfree <unfixed>
+       NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845
+       NOTE: https://github.com/aawc/unrar/releases
+       NOTE: 
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml
 CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer 
overflow in Tab ...)
-       TODO: check
+       - darktable <unfixed>
+       - photoflow <unfixed>
+       NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5256
+       NOTE: 
https://github.com/darktable-org/rawspeed/commit/dbe7591e54bad5e6430d38be6bed051582da76b9
+       NOTE: 
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/librawspeed/OSV-2018-227.yaml
 CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in 
Unpack:: ...)
-       TODO: check
+       - unrar-nonfree 1:5.6.6-1
+       NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4373
+       NOTE: 
https://github.com/aawc/unrar/commit/0ff832d31470471803b175cfff4e40c1b08ee779
+       NOTE: 
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2017-104.yaml
 CVE-2021-3631
        RESERVED
 CVE-2021-36079
@@ -310,7 +320,7 @@ CVE-2021-35972
 CVE-2021-35971 (Veeam Backup and Replication 10 before 10.0.1.4854 P20210609 
and 11 be ...)
        NOT-FOR-US: Veeam
 CVE-2021-35970 (Talk 4 in Coral before 4.12.1 allows remote attackers to 
discover e-ma ...)
-       TODO: check
+       NOT-FOR-US: Coral
 CVE-2021-35969
        RESERVED
 CVE-2021-35968
@@ -7477,7 +7487,7 @@ CVE-2021-32738
 CVE-2021-32737
        RESERVED
 CVE-2021-32736 (think-helper defines a set of helper functions for ThinkJS. In 
version ...)
-       TODO: check
+       NOT-FOR-US: think-helper
 CVE-2021-32735
        RESERVED
 CVE-2021-32734
@@ -10055,7 +10065,7 @@ CVE-2021-31723
 CVE-2021-31722
        RESERVED
 CVE-2021-31721 (Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via 
an image ...)
-       TODO: check
+       NOT-FOR-US: Chevereto
 CVE-2021-31720
        RESERVED
 CVE-2021-31719
@@ -17169,11 +17179,11 @@ CVE-2021-28806 (A DOM-based XSS vulnerability has 
been reported to affect QNAP N
 CVE-2021-28805 (Inclusion of sensitive information in the source code has been 
reporte ...)
        NOT-FOR-US: QNAP
 CVE-2021-28804 (A command injection vulnerabilities have been reported to 
affect QTS a ...)
-       TODO: check
+       NOT-FOR-US: QNAP
 CVE-2021-28803 (This issue affects: QNAP Systems Inc. Q'center versions prior 
to 1.11. ...)
-       TODO: check
+       NOT-FOR-US: QNAP
 CVE-2021-28802 (A command injection vulnerabilities have been reported to 
affect QTS a ...)
-       TODO: check
+       NOT-FOR-US: QNAP
 CVE-2021-28801 (An out-of-bounds read vulnerability has been reported to 
affect certai ...)
        NOT-FOR-US: QNAP
 CVE-2021-28800 (A command injection vulnerability has been reported to affect 
QNAP NAS ...)
@@ -25657,11 +25667,11 @@ CVE-2020-36198 (A command injection vulnerability has 
been reported to affect ce
 CVE-2020-36197 (An improper access control vulnerability has been reported to 
affect e ...)
        NOT-FOR-US: QNAP
 CVE-2020-36196 (A stored XSS vulnerability has been reported to affect QNAP 
NAS runnin ...)
-       TODO: check
+       NOT-FOR-US: QNAP
 CVE-2020-36195 (An SQL injection vulnerability has been reported to affect 
QNAP NAS ru ...)
        NOT-FOR-US: QNAP
 CVE-2020-36194 (An XSS vulnerability has been reported to affect QNAP NAS 
running QTS  ...)
-       TODO: check
+       NOT-FOR-US: QNAP
 CVE-2021-3184 (MISP 2.4.136 has XSS via a crafted URL to the 
app/View/Elements/global ...)
        NOT-FOR-US: MISP
 CVE-2021-3183 (Files.com Fat Client 3.3.6 allows authentication bypass because 
the cl ...)
@@ -32378,21 +32388,21 @@ CVE-2021-22354 (There is an Information Disclosure 
Vulnerability in Huawei Smart
 CVE-2021-22353 (There is a Memory Buffer Improper Operation Limit 
Vulnerability in Hua ...)
        NOT-FOR-US: Huawei
 CVE-2021-22352 (There is a Configuration Defect Vulnerability in Huawei 
Smartphone. Su ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22351 (There is a Credentials Management Errors Vulnerability in 
Huawei Smart ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22350 (There is a Memory Buffer Improper Operation Limit 
Vulnerability in Hua ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22349 (There is an Input Verification Vulnerability in Huawei 
Smartphone. Suc ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22348 (There is a Memory Buffer Improper Operation Limit 
Vulnerability in Hua ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22347
        RESERVED
 CVE-2021-22346 (There is an Improper Permission Management Vulnerability in 
Huawei Sma ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22345 (There is an Input Verification Vulnerability in Huawei 
Smartphone. Suc ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2021-22344
        RESERVED
 CVE-2021-22343
@@ -37544,7 +37554,7 @@ CVE-2021-20754
 CVE-2021-20753
        RESERVED
 CVE-2021-20752 (Cross-site scripting vulnerability in IkaIka RSS Reader all 
versions a ...)
-       TODO: check
+       NOT-FOR-US: IkaIka RSS Reader
 CVE-2021-20751 (Cross-site scripting vulnerability in EC-CUBE EC-CUBE 4.0.0 to 
4.0.5-p ...)
        NOT-FOR-US: EC-CUBE
 CVE-2021-20750 (Cross-site scripting vulnerability in EC-CUBE EC-CUBE 3.0.0 to 
3.0.18- ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba911e8a603f4de3a0308595f6a097a101ed8317

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba911e8a603f4de3a0308595f6a097a101ed8317
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to