Author: opal Date: 2017-02-28 21:04:54 +0000 (Tue, 28 Feb 2017) New Revision: 49312
Modified: data/CVE/list data/dla-needed.txt Log: Marked a few CVEs as no-dsa for wheezy following jessie. Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-02-28 20:56:30 UTC (rev 49311) +++ data/CVE/list 2017-02-28 21:04:54 UTC (rev 49312) @@ -1890,6 +1890,7 @@ CVE-2017-XXXX [podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp)] - libpodofo <unfixed> (bug #854605) [jessie] - libpodofo <no-dsa> (Minor issue) + [wheezy] - libpodofo <no-dsa> (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/02/21 @@ -1897,30 +1898,35 @@ RESERVED - libpodofo 0.9.4-1 (bug #854599) [jessie] - libpodofo <no-dsa> (Minor issue) + [wheezy] - libpodofo <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2017-5855 [NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection] RESERVED - libpodofo <unfixed> (bug #854603) [jessie] - libpodofo <no-dsa> (Minor issue) + [wheezy] - libpodofo <no-dsa> (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5854 [NULL pointer dereference in PdfOutputStream.cpp] RESERVED - libpodofo <unfixed> (bug #854602) [jessie] - libpodofo <no-dsa> (Minor issue) + [wheezy] - libpodofo <no-dsa> (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5853 [Signed integer overflow in PdfParser.cpp] RESERVED - libpodofo <unfixed> (bug #854601) [jessie] - libpodofo <no-dsa> (Minor issue) + [wheezy] - libpodofo <no-dsa> (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject] RESERVED - libpodofo <unfixed> (bug #854600) [jessie] - libpodofo <no-dsa> (Minor issue) + [wheezy] - libpodofo <no-dsa> (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] Modified: data/dla-needed.txt =================================================================== --- data/dla-needed.txt 2017-02-28 20:56:30 UTC (rev 49311) +++ data/dla-needed.txt 2017-02-28 21:04:54 UTC (rev 49312) @@ -52,11 +52,7 @@ NOTE: Pinged on 2017-02-06 https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby) -- libpodofo - NOTE: CVE-2017-5854 does not crash but the NULL check is missing - NOTE: CVE-2017-5855 does not crash since the Wheezy code being different - NOTE: CVE-2017-5852, CVE-2017-5853 crash in Wheezy - NOTE: CVE-2015-8981 Wheezy is affected, patch is straightforward. - NOTE: 20170226: No patches available for other issues. + NOTE: 20170226: No patches available. -- libquicktime (Balint Reczey) NOTE: added 2017-02-25, please give maintainer some time to respond _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits