[Secure-testing-commits] r48169 - data/CVE

Moritz Muehlenhoff Wed, 18 Jan 2017 13:21:38 -0800

Author: jmm
Date: 2017-01-18 21:21:00 +0000 (Wed, 18 Jan 2017)
New Revision: 48169


Modified:
   data/CVE/list
Log:
more jasper triage
NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-01-18 21:10:11 UTC (rev 48168)
+++ data/CVE/list       2017-01-18 21:21:00 UTC (rev 48169)
@@ -310,9 +310,10 @@
        TODO: check
 CVE-2017-5505
        RESERVED
-       - jasper <removed>
+       - jasper <removed> (unimportant)
        NOTE: 
https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c
        NOTE: https://github.com/mdadams/jasper/issues/88
+       NOTE: Not suitable for code injection, hardly denial of service
 CVE-2017-5504
        RESERVED
        - jasper <removed>
@@ -5301,6 +5302,7 @@
        RESERVED
 CVE-2017-3387
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3386
        RESERVED
 CVE-2017-3385
@@ -5337,8 +5339,10 @@
        RESERVED
 CVE-2017-3369
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3368
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3367
        RESERVED
 CVE-2017-3366
@@ -5507,6 +5511,7 @@
        RESERVED
 CVE-2017-3303
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3302
        RESERVED
 CVE-2017-3301
@@ -5558,24 +5563,30 @@
        RESERVED
 CVE-2017-3286
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3285
        RESERVED
 CVE-2017-3284
        RESERVED
 CVE-2017-3283
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3282
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3281
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3280
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3279
        RESERVED
 CVE-2017-3278
        RESERVED
 CVE-2017-3277
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3276
        RESERVED
        NOT-FOR-US: Solaris
@@ -5687,6 +5698,7 @@
        RESERVED
 CVE-2017-3246
        RESERVED
+       NOT-FOR-US: Oracle
 CVE-2017-3245
        RESERVED
        NOT-FOR-US: Oracle FLEXCUBE
@@ -15493,12 +15505,13 @@
 CVE-2016-8887 [NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)]
        RESERVED
        {DLA-739-1}
-       - jasper <removed>
+       - jasper <removed> (unimportant)
        NOTE: 
https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c
        NOTE: Fixed by: 
https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d
 (version-1.900.10)
        NOTE: When fixing this issue look at the followup report
        NOTE: 
https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887
        NOTE: and include the fix to not make jasper vulnerable to the 
incomplete fix.
+       NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-8886 [memory allocation failure in jas_malloc (jas_malloc.c)]
        RESERVED
        - jasper <removed> (low)
@@ -15520,14 +15533,16 @@
        NOTE: 
https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690
 CVE-2016-8883 (The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 
1.900.8 ...)
        {DLA-739-1}
-       - jasper <removed>
+       - jasper <removed> (unimportant)
        NOTE: https://github.com/mdadams/jasper/issues/32
        NOTE: 
https://github.com/mdadams/jasper/commit/33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d
+       NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-8882 (The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in 
JasPer ...)
        {DLA-739-1}
-       - jasper <removed>
+       - jasper <removed> (unimportant)
        NOTE: https://github.com/mdadams/jasper/issues/30
        NOTE: 
https://github.com/mdadams/jasper/commit/69a1439a5381e42b06ec6a06ed2675eb793babee
 (version-1.900.8)
+       NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-8881
        REJECTED
 CVE-2016-8880
@@ -15675,15 +15690,17 @@
 CVE-2016-8692 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c]
        RESERVED
        {DLA-739-1}
-       - jasper <removed> (low; bug #841111)
+       - jasper <removed> (unimportant; low; bug #841111)
        NOTE: 
https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/
        NOTE: Fixed by: 
https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020
 (version-1.900.4)
+       NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-8691 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c]
        RESERVED
        {DLA-739-1}
-       - jasper <removed> (bug #841111)
+       - jasper <removed> (unimportant; bug #841111)
        NOTE: 
https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/
        NOTE: Fixed by: 
https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020
 (version-1.900.4)
+       NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-8690 [SEGV on unknown address ... bmp_getdata ... bmp_dec.c]
        RESERVED
        - jasper <removed> (low; bug #841112)


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48169 - data/CVE

Reply via email to