[Secure-testing-commits] r48631 - in data: . CVE

Tue, 31 Jan 2017 12:46:48 -0800 

Author: rbalint
Date: 2017-01-31 20:46:30 +0000 (Tue, 31 Jan 2017)
New Revision: 48631

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
wavpack's issues don't affect wheezy

The first part of the upstream patch is not needed since the
code is very different and not vulnerable.
The second part applies, but does not make any difference when
trying the exploits. Tested with valgrind on Wheezy.

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-01-31 20:10:36 UTC (rev 48630)
+++ data/CVE/list       2017-01-31 20:46:30 UTC (rev 48631)
@@ -260,16 +260,19 @@
 CVE-2016-10171 [heap out of bounds read in unreorder_channels / wvunpack.c]
        RESERVED
        - wavpack 5.0.0-2 (bug #853076)
+       [wheezy] - wavpack <not-affected> (Vulnerable code not present)
        NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561939/
        NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10170 [heap out of bounds read in WriteCaffHeader / caff.c]
        RESERVED
        - wavpack 5.0.0-2 (bug #853076)
+       [wheezy] - wavpack <not-affected> (Vulnerable code not present)
        NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561921/
        NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10169 [global buffer overread in read_code / read_words.c]
        RESERVED
        - wavpack 5.0.0-2 (bug #853076)
+       [wheezy] - wavpack <not-affected> (Vulnerable code not present)
        NOTE: https://sourceforge.net/p/wavpack/mailman/message/35557889/
        NOTE: Fixed by: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc 
(5.1.0)
 CVE-2016-10166 [Fix potential unsigned underflow]

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-01-31 20:10:36 UTC (rev 48630)
+++ data/dla-needed.txt 2017-01-31 20:46:30 UTC (rev 48631)
@@ -101,11 +101,6 @@
 --
 svgsalamander
 --
-wavpack (Balint Reczey)
-  NOTE: the provided testcases don't crash but this hunk
-  NOTE: 
https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#diff-bc1807cb462afb05056502f77834c6ebR291
-  NOTE: is missing in the wheezy version
---
 wordpress (Markus Koschany)
 --
 xen


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to