Author: opal
Date: 2017-02-28 21:04:54 +0000 (Tue, 28 Feb 2017)
New Revision: 49312
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Marked a few CVEs as no-dsa for wheezy following jessie.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-02-28 20:56:30 UTC (rev 49311)
+++ data/CVE/list 2017-02-28 21:04:54 UTC (rev 49312)
@@ -1890,6 +1890,7 @@
CVE-2017-XXXX [podofo: NULL pointer dereference in PdfInfo::GuessFormat
(pdfinfo.cpp)]
- libpodofo <unfixed> (bug #854605)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
NOTE:
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2017/02/02/21
@@ -1897,30 +1898,35 @@
RESERVED
- libpodofo 0.9.4-1 (bug #854599)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/
NOTE: https://sourceforge.net/p/podofo/code/1672
CVE-2017-5855 [NULL pointer dereference in
PoDoFo::PdfParser::ReadXRefSubsection]
RESERVED
- libpodofo <unfixed> (bug #854603)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp
NOTE:
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
CVE-2017-5854 [NULL pointer dereference in PdfOutputStream.cpp]
RESERVED
- libpodofo <unfixed> (bug #854602)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp
NOTE:
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
CVE-2017-5853 [Signed integer overflow in PdfParser.cpp]
RESERVED
- libpodofo <unfixed> (bug #854601)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp
NOTE:
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject]
RESERVED
- libpodofo <unfixed> (bug #854600)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE:
https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp
NOTE:
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and
putgreytile()]
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-02-28 20:56:30 UTC (rev 49311)
+++ data/dla-needed.txt 2017-02-28 21:04:54 UTC (rev 49312)
@@ -52,11 +52,7 @@
NOTE: Pinged on 2017-02-06
https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby)
--
libpodofo
- NOTE: CVE-2017-5854 does not crash but the NULL check is missing
- NOTE: CVE-2017-5855 does not crash since the Wheezy code being different
- NOTE: CVE-2017-5852, CVE-2017-5853 crash in Wheezy
- NOTE: CVE-2015-8981 Wheezy is affected, patch is straightforward.
- NOTE: 20170226: No patches available for other issues.
+ NOTE: 20170226: No patches available.
--
libquicktime (Balint Reczey)
NOTE: added 2017-02-25, please give maintainer some time to respond
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
