[Secure-testing-commits] r15800 - data/CVE

Thu Jan 6 00:36:11 UTC 2011

Author: geissert
Date: 2011-01-06 00:36:10 +0000 (Thu, 06 Jan 2011)
New Revision: 15800

Modified:
   data/CVE/list
Log:
track (pending review) issues reported by Silvio
add packages embedding code copies to a few CVEs


Modified: data/CVE/list
===================================================================

--- data/CVE/list	2011-01-06 00:13:06 UTC (rev 15799)
+++ data/CVE/list	2011-01-06 00:36:10 UTC (rev 15800)
@@ -1,3 +1,12 @@
+CVE-2011-XXXX [Crash with long HOME environment variable]
+	- toppler <unfixed> (bug #608979)
+	TODO: check
+CVE-2011-XXXX [Crash with long HOME environment variable]
+	- lbreakout2 <unfixed> (bug #608980)
+	TODO: check
+CVE-2011-XXXX [Crash with long GGI_DISPLAY environment variable]
+	- zhcon <unfixed> (bug #608981)
+	TODO: check
 CVE-2010-XXXX [syslog-ng log permissions]
 	- syslog-ng 3.1.3-2 (bug #608491)
 	[lenny] - syslog-ng <not-affected> (Freebsd-specific, which is not supported in Lenny)
@@ -16674,10 +16683,14 @@
 	- linux-2.6.24 <removed> (high)
 CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before ...)
 	{DSA-1936-1}
+	- libwmf <unfixed>
+	- plt-scheme <unfixed>
+	- graphviz <unfixed>
 	- libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534)
 	- php5 <not-affected> (the php packages use the system libgd2)
 	NOTE: http://svn.php.net/viewvc?view=revision&revision=289557
 	NOTE: <20091015173822.084de220 at redhat.com> in OSS-sec
+	TODO: check
 CVE-2009-3545 (DataWizard Technologies FtpXQ FTP Server 3.0 allows remote ...)
 	NOT-FOR-US: DataWizard Technologies FtpXQ FTP Server
 CVE-2009-3544 (Xerver HTTP Server 4.32 allows remote attackers to obtain the source ...)
@@ -48677,8 +48690,12 @@
 CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1, 8.1.0, ...)
 	NOT-FOR-US: Plesk (Windows)
 CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer]
+	- libwmf <unfixed>
+	- plt-scheme <unfixed>
+	- graphviz <unfixed>
 	- libgd2 2.0.35.dfsg-3
 	[etch] - libgd2 2.0.33-5.2etch1 
+	TODO: check
 CVE-2007-4891 (A certain ActiveX control in PDWizard.ocx 6.0.0.9782 and earlier in ...)
 	NOT-FOR-US: PDWizard
 CVE-2007-4890 (Absolute directory traversal vulnerability in a certain ActiveX ...)
@@ -50823,8 +50840,12 @@
 CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow remote ...)
 	{DSA-1613-1}
 	- libgd2 2.0.35.dfsg-1 (bug #443456; medium)
+	- libwmf <unfixed>
+	- plt-scheme <unfixed>
+	- graphviz <unfixed>
 	NOTE: Debian's PHP packages are linked dynamically against libgd
 	NOTE: see http://www.php.net/releases/5_2_4.php
+	TODO: check
 CVE-2007-3995
 	RESERVED
 CVE-2007-3994
@@ -52087,11 +52108,19 @@
 CVE-2007-3477 (The (a) imagearc and (b) imagefilledarc functions in GD Graphics ...)
 	{DSA-1613-1}
 	- libgd2 2.0.35.dfsg-1 (low)
+	- libwmf <unfixed>
+	- plt-scheme <unfixed>
+	- graphviz <unfixed>
 	NOTE: CPU consumption DoS
+	TODO: check
 CVE-2007-3476 (Array index error in gd_gif_in.c in the GD Graphics Library (libgd) ...)
 	{DSA-1613-1}
 	- libgd2 2.0.35.dfsg-1 (low)
+	- libwmf <unfixed>
+	- plt-scheme <unfixed>
+	- graphviz <unfixed>
 	NOTE: can write a 0 to a 4k window in heap, very unlikely to be controllable.
+	TODO: check
 CVE-2007-3475 (The GD Graphics Library (libgd) before 2.0.35 allows user-assisted ...)
 	- libgd2 <unfixed> (unimportant)
 	NOTE: out-of-band memory read, does not appear attacker controlled.


