Author: jmm Date: 2017-01-18 21:21:00 +0000 (Wed, 18 Jan 2017) New Revision: 48169
Modified: data/CVE/list Log: more jasper triage NFUs Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-01-18 21:10:11 UTC (rev 48168) +++ data/CVE/list 2017-01-18 21:21:00 UTC (rev 48169) @@ -310,9 +310,10 @@ TODO: check CVE-2017-5505 RESERVED - - jasper <removed> + - jasper <removed> (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c NOTE: https://github.com/mdadams/jasper/issues/88 + NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5504 RESERVED - jasper <removed> @@ -5301,6 +5302,7 @@ RESERVED CVE-2017-3387 RESERVED + NOT-FOR-US: Oracle CVE-2017-3386 RESERVED CVE-2017-3385 @@ -5337,8 +5339,10 @@ RESERVED CVE-2017-3369 RESERVED + NOT-FOR-US: Oracle CVE-2017-3368 RESERVED + NOT-FOR-US: Oracle CVE-2017-3367 RESERVED CVE-2017-3366 @@ -5507,6 +5511,7 @@ RESERVED CVE-2017-3303 RESERVED + NOT-FOR-US: Oracle CVE-2017-3302 RESERVED CVE-2017-3301 @@ -5558,24 +5563,30 @@ RESERVED CVE-2017-3286 RESERVED + NOT-FOR-US: Oracle CVE-2017-3285 RESERVED CVE-2017-3284 RESERVED CVE-2017-3283 RESERVED + NOT-FOR-US: Oracle CVE-2017-3282 RESERVED + NOT-FOR-US: Oracle CVE-2017-3281 RESERVED + NOT-FOR-US: Oracle CVE-2017-3280 RESERVED + NOT-FOR-US: Oracle CVE-2017-3279 RESERVED CVE-2017-3278 RESERVED CVE-2017-3277 RESERVED + NOT-FOR-US: Oracle CVE-2017-3276 RESERVED NOT-FOR-US: Solaris @@ -5687,6 +5698,7 @@ RESERVED CVE-2017-3246 RESERVED + NOT-FOR-US: Oracle CVE-2017-3245 RESERVED NOT-FOR-US: Oracle FLEXCUBE @@ -15493,12 +15505,13 @@ CVE-2016-8887 [NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)] RESERVED {DLA-739-1} - - jasper <removed> + - jasper <removed> (unimportant) NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c NOTE: Fixed by: https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d (version-1.900.10) NOTE: When fixing this issue look at the followup report NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887 NOTE: and include the fix to not make jasper vulnerable to the incomplete fix. + NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8886 [memory allocation failure in jas_malloc (jas_malloc.c)] RESERVED - jasper <removed> (low) @@ -15520,14 +15533,16 @@ NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690 CVE-2016-8883 (The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 ...) {DLA-739-1} - - jasper <removed> + - jasper <removed> (unimportant) NOTE: https://github.com/mdadams/jasper/issues/32 NOTE: https://github.com/mdadams/jasper/commit/33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d + NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8882 (The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer ...) {DLA-739-1} - - jasper <removed> + - jasper <removed> (unimportant) NOTE: https://github.com/mdadams/jasper/issues/30 NOTE: https://github.com/mdadams/jasper/commit/69a1439a5381e42b06ec6a06ed2675eb793babee (version-1.900.8) + NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8881 REJECTED CVE-2016-8880 @@ -15675,15 +15690,17 @@ CVE-2016-8692 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c] RESERVED {DLA-739-1} - - jasper <removed> (low; bug #841111) + - jasper <removed> (unimportant; low; bug #841111) NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/ NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4) + NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8691 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c] RESERVED {DLA-739-1} - - jasper <removed> (bug #841111) + - jasper <removed> (unimportant; bug #841111) NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/ NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4) + NOTE: Not suitable for code injection, hardly denial of service CVE-2016-8690 [SEGV on unknown address ... bmp_getdata ... bmp_dec.c] RESERVED - jasper <removed> (low; bug #841112) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits