[Secure-testing-commits] r56962 - data/CVE

Raphaël Hertzog Wed, 25 Oct 2017 02:26:09 -0700

Author: hertzog
Date: 2017-10-25 09:25:40 +0000 (Wed, 25 Oct 2017)
New Revision: 56962


Modified:
   data/CVE/list
Log:
Add reproducibility results and upstream reports for all exiv2 CVE

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-10-25 09:20:25 UTC (rev 56961)
+++ data/CVE/list       2017-10-25 09:25:40 UTC (rev 56962)
@@ -2577,48 +2577,73 @@
        - restlet <itp> (bug #596472)
 CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data 
function of ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/140
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494781
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): 
corrupted unsorted chunks" without valgrind).
 CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data 
function of ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/134
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494778
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): 
corrupted unsorted chunks" without valgrind).
 CVE-2017-14864 (An Invalid memory address dereference was discovered in 
Exiv2::getULong ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/73
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494467
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault 
without valgrind).
 CVE-2017-14863 (A NULL pointer dereference was discovered in ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/132
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494443
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): 
invalid next size (fast)" without valgrind).
 CVE-2017-14862 (An Invalid memory address dereference was discovered in ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/75
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494786
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault 
without valgrind).
 CVE-2017-14861 (There is a stack consumption vulnerability in the ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/139
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494787
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault 
without valgrind).
 CVE-2017-14860 (There is a heap-based buffer over-read in the ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/71
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494776
-       TODO: check, asked reporter to contact upstream
+       TODO: check
+       NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
+       NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault 
without valgrind).
 CVE-2017-14859 (An Invalid memory address dereference was discovered in ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/74
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494780
-       TODO: check, asked reporter to contact upstream
+       TODO: check
        NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
        NOTE: Reproducible in experimental(0.26-1).
 CVE-2017-14858 (There is a heap-based buffer overflow in the Exiv2::l2Data 
function of ...)
        - exiv2 <unfixed>
+        NOTE: https://github.com/Exiv2/exiv2/issues/138
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494782
-       TODO: check, asked reporter to contact upstream
+       TODO: check
        NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
        NOTE: Reproducible in experimental(0.26-1) with a different error 
(double free or corruption (out))
 CVE-2017-14857 (In Exiv2 0.26, there is an invalid free in the Image class in 
image.cpp ...)
        - exiv2 <unfixed>
+       NOTE: https://github.com/Exiv2/exiv2/issues/76
+       NOTE: https://github.com/Exiv2/exiv2/issues/124
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495043
-       TODO: check, asked reporter to contact upstream
+       TODO: check
        NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1).
        NOTE: Reproducible in experimental(0.26-1).
 CVE-2017-14856


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r56962 - data/CVE

Reply via email to