[Secure-testing-commits] r12708 - data/CVE

Michael Gilbert gilbert-guest at alioth.debian.org
Sun Aug 30 17:09:16 UTC 2009 

Author: gilbert-guest
Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
New Revision: 12708

Modified:
   data/CVE/list
Log:
beginning of embedded code copies triage (5 down 395 to go)

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
+++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
@@ -1286,6 +1286,7 @@
 CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might allow ...)
 	{DSA-1857-1}
 	- camlimages 1:3.0.1-3 (medium; bug #540146)
+	- advi <not-affected> (affected code section not present in advi code copy of camlimages)
 CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs with unnecessary ...)
 	- nilfs2-tools <not-affected> (dh_fixperms removes the setuid and setgid bits from all files)
 CVE-2009-2656 (Unspecified vulnerability in the com.android.phone process in Android ...)
@@ -1303,6 +1304,8 @@
 CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
 	- vlc 1.0.1-1
 	- mplayer <unfixed>
+	- xine-lib <unfixed>
+        NOTE: affected mplayer code copy present in xine-lib
 	NOTE: Posting on full-disclosure contains details
 CVE-2009-2655 (mshtml.dll in Microsoft Internet Explorer 7 and 8 on Windows XP SP3 ...)
 	NOT-FOR-US: Microsoft Internet Explorer
@@ -1777,11 +1780,16 @@
 	- neon27 0.28.6-1 (medium; bug #542926)
 	- neon26 <unfixed> (medium; bug #542926)
 	- neon <removed> (medium; bug #542926)
+	- gnome-vfs2 <unfixed>
+	NOTE: affected neon code copy present in gnome-vfs2 [./imported/*]
+	- litmus <removed>
+	NOTE: affected neon code copy present in litmus [./libneon/*]
 CVE-2009-2473 (neon before 0.28.6, when expat is used, does not properly detect ...)
 	- neon27 <not-affected> (neon27 is compiled to use libxml2 instead of expat)
 	- neon26 <not-affected> (neon26 is compiled to use libxml2 instead of expat)
 	- neon <removed>
 	[etch] - neon <not-affected> (neon is compiled to use libxml2 instead of expat)
+	TODO: check whether gnome-vfs2 and litmus are also not-affected; do they also libxml2?
 CVE-2009-2472 (Mozilla Firefox before 3.0.12 does not always use ...)
 	{DSA-1840-1}
 	- xulrunner 1.9.0.12-1
@@ -1994,11 +2002,15 @@
 	NOT-FOR-US: Apple Safari
 CVE-2009-2419 (Use-after-free vulnerability in the servePendingRequests function in ...)
 	- webkit 1.1.10-1
+	- qt4-x11 <unfixed>
+	NOTE: affected embedded webkit code copy present in qt4-x11 [./src/3rdparty/webkit/WebCore/*]
 CVE-2009-2418
 	RESERVED
 CVE-2009-2417 (lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is ...)
 	{DSA-1869-1}
 	- curl 7.19.5-1.1 (medium; bug #541991)
+	- wget <unfixed>
+	TODO: check whether wget affected [src/openssl.c]; not an embed, but similar functionality
 CVE-2009-2416 (Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, ...)
 	{DSA-1861-1 DSA-1859-1}
 	- libxml2 2.7.3.dfsg-2.1 (low; bug #540865)
@@ -2975,6 +2987,8 @@
 	- libpng 1.2.37-1 (low; bug #533676)
 	[etch] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
 	[lenny] - libpng <no-dsa> (Minor issue, only exploitable in rare setups)
+	- xulrunner <unfixed>
+	NOTE: libpng code copy present in xulrunner [./modules/libimg/png/*] and possibly [./gfx/cairo/cairo/*]
 CVE-2009-2041 (Cross-site scripting (XSS) vulnerability in A51 D.O.O. activeCollab ...)
 	NOT-FOR-US: activeCollab
 CVE-2009-2040 (admin/options.php in Grestul 1.2 does not properly restrict access, ...)

More information about the Secure-testing-commits mailing list