[Secure-testing-commits] r22826 - data/CVE
Michael Gilbert
mgilbert at alioth.debian.org
Wed Jul 3 00:32:25 UTC 2013
Author: mgilbert
Date: 2013-07-03 00:32:25 +0000 (Wed, 03 Jul 2013)
New Revision: 22826
Modified:
data/CVE/list
Log:
tiff3 triage
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2013-07-02 21:14:19 UTC (rev 22825)
+++ data/CVE/list 2013-07-03 00:32:25 UTC (rev 22826)
@@ -40305,6 +40305,7 @@
CVE-2011-1167 (Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in ...)
{DSA-2210-1}
- tiff 3.9.4-9 (bug #619614)
+ - tiff3 <not-affected> (fixed before initial upload)
CVE-2011-1166
RESERVED
{DSA-2337-1}
@@ -42938,8 +42939,8 @@
NOTE: Might be fixed earlier than 3.0.4-2, but was tested against the Wheezy version
CVE-2010-4665 (Integer overflow in the ReadDirectory function in tiffdump.c in ...)
{DSA-2552-1}
+ - tiff <not-affected> (vulnerable code not present)
- tiff3 3.9.5
- NOTE: tiff (4) might be affected, it was branched after tiff3 3.8.2 but the tiffdump.c code is completely different so I'm unsure
CVE-2010-4664
RESERVED
- consolekit 0.4.2-1 (low)
@@ -43302,9 +43303,11 @@
CVE-2011-0192 (Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other ...)
{DSA-2210-1}
- tiff 3.9.4-7
+ - tiff3 <not-affected> (fixed before initial upload)
CVE-2011-0191 (Buffer overflow in LibTIFF 3.9.4 and possibly other versions, as used ...)
{DSA-2210-1}
- tiff 3.9.4-1
+ - tiff3 <not-affected> (fixed before initial upload)
NOTE: This might've been fixed earlier even
CVE-2011-0190 (Install Helper in Installer in Apple Mac OS X before 10.6.7 does not ...)
NOT-FOR-US: Apple Mac OS
@@ -44129,6 +44132,7 @@
CVE-2009-5022 (Heap-based buffer overflow in tif_ojpeg.c in the OJPEG decoder in ...)
{DSA-2256-1}
- tiff 3.9.5-1 (bug #624287)
+ - tiff3 <not-affected> (fixed before initial upload)
[lenny] - tiff <not-affected> (3.9+ only)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=1999
CVE-2009-5021 (Cobbler before 1.6.1 does not properly determine whether an ...)
@@ -48156,6 +48160,7 @@
NOT-FOR-US: Knotify plugin for Pidgin
CVE-2010-3087 (LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote ...)
- tiff 3.9.4-5 (bug #600188)
+ - tiff3 <not-affected> (fixed before initial upload)
[lenny] - tiff <not-affected> (Vulnerable code not present)
CVE-2010-3086 (include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not ...)
- linux-2.6 2.6.25-1
@@ -49438,10 +49443,13 @@
CVE-2010-2632 (Unspecified vulnerability in the FTP Server in Oracle Solaris 8, 9, ...)
NOT-FOR-US: Solaris FTP server
CVE-2010-2631 (LibTIFF 3.9.0 ignores tags in certain situations during the first ...)
- - tiff 4.0.2-1 (unimportant)
+ - tiff 3.9.4-1
+ - tiff3 <not-affected> (fixed before initial upload)
CVE-2010-2630 (The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly ...)
{DSA-2552-1}
- - tiff 4.0.2-1
+ - tiff 3.9.6-1
+ - tiff3 3.9.6-1
+ NOTE: may have been fixed earlier
CVE-2010-2629 (The Cisco Content Services Switch (CSS) 11500 with software 8.20.4.02 ...)
NOT-FOR-US: Cisco
CVE-2010-2628 (The IKE daemon in strongSwan 4.3.x before 4.3.7 and 4.4.x before 4.4.1 ...)
@@ -49571,14 +49579,21 @@
[lenny] - mantis 1.1.6+dfsg-2lenny2
CVE-2010-2598 (LibTIFF in Red Hat Enterprise Linux (RHEL) 3 on x86_64 platforms, as ...)
- tiff 3.9.4-1
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2010-2597 (The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 ...)
{DSA-2552-1}
- - tiff 4.0.2-1
+ - tiff 3.9.6-1
+ - tiff3 3.9.6-1
+ NOTE: may have been fixed earlier
CVE-2010-2596 (The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and ...)
- - tiff 4.0.2-1 (unimportant)
+ - tiff <unfixed> (unimportant)
+ - tiff3 <unfixed> (unimportant)
+ NOTE: no fix available as of July 2013
CVE-2010-2595 (The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ...)
{DSA-2552-1}
- - tiff 4.0.2-1
+ - tiff 3.9.6-1
+ - tiff3 3.9.6-1
+ NOTE: may have been fixed earlier
CVE-2010-2573 (Integer underflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3, ...)
NOT-FOR-US: Microsoft PowerPoint
CVE-2010-2572 (Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows ...)
@@ -49823,11 +49838,14 @@
- php5 5.3.3-1 (unimportant)
CVE-2010-2483 (The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers ...)
- tiff 3.9.4-4 (unimportant)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2010-2482 (LibTIFF 3.9.4 and earlier does not properly handle an invalid ...)
{DSA-2552-1}
- tiff 3.9.4-1 (unimportant)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2010-2481 (The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly ...)
- tiff 3.9.4-1 (unimportant)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2010-2480 (Mako before 0.3.4 relies on the cgi.escape function in the Python ...)
- mako 0.3.4-1 (low)
[lenny] - mako <no-dsa> (Minor issue)
@@ -49909,6 +49927,7 @@
- kvirc 4:4.0.0~svn4340+rc3-1
CVE-2010-2443 (The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before ...)
- tiff 3.9.4-1 (unimportant)
+ - tiff3 <not-affected> (fixed prior to initial upload)
NOTE: Triggers a NULL pointer deref, crasher only
CVE-2010-2442 (Microsoft Internet Explorer, possibly 8, does not properly restrict ...)
NOT-FOR-US: Microsoft Internet Explorer
@@ -50453,6 +50472,7 @@
- cobbler <itp> (bug #545583)
CVE-2010-2233 (tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used ...)
- tiff 3.9.4-2
+ - tiff3 <not-affected> (fixed prior to initial upload)
[lenny] - tiff <not-affected> (Only affects 3.9.x)
CVE-2010-2232
RESERVED
@@ -50874,12 +50894,14 @@
- apache2 <not-affected> (does not affect UNIX, only Windows, etc.)
CVE-2010-2067 (Stack-based buffer overflow in the TIFFFetchSubjectDistance function ...)
- tiff 3.9.4-1
+ - tiff3 <not-affected> (fixed prior to initial upload)
[lenny] - tiff <not-affected> (Only affects 3.9.x)
CVE-2010-2066 (The mext_check_arguments function in fs/ext4/move_extent.c in the ...)
- linux-2.6 2.6.32-21
[lenny] - linux-2.6 <not-affected> (Vulnerable code introduced in 2.6.31)
CVE-2010-2065 (Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 ...)
- tiff 3.9.4-1
+ - tiff3 <not-affected> (fixed prior to initial upload)
[lenny] - tiff <not-affected> (Only affects 3.9.x)
NOTE: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589145
NOTE: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565
@@ -52855,6 +52877,7 @@
CVE-2010-1411 (Multiple integer overflows in the Fax3SetupState function in ...)
{DSA-2084-1}
- tiff 3.9.4-1
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2010-1410 (WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and ...)
- webkit 1.2.1-2
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe apps)
@@ -64248,6 +64271,7 @@
CVE-2009-2347 (Multiple integer overflows in inter-color spaces conversion tools in ...)
{DSA-1835-1}
- tiff 3.8.2-13
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2009-2346 (The IAX2 protocol implementation in Asterisk Open Source 1.2.x before ...)
- asterisk 1:1.6.2.0~dfsg~beta3-1 (bug #539473)
[etch] - asterisk <end-of-life> (Etch Packages no longer covered by security support)
@@ -64427,6 +64451,7 @@
CVE-2009-2285 (Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 ...)
{DSA-1835-1}
- tiff 3.8.2-12 (low; bug #534137)
+ - tiff3 <not-affected> (fixed prior to initial upload)
NOTE: this doesn't allow code execution, only a crash.
CVE-2009-2283 (Multiple cross-site scripting (XSS) vulnerabilities in the help jsp ...)
NOT-FOR-US: Sun Java Web Console in Solaris
@@ -81264,6 +81289,7 @@
CVE-2008-2327 (Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, ...)
{DSA-1632-1 DTSA-160-1}
- tiff 3.8.2-11 (medium)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2008-2326 (mDNSResponder in the Bonjour Namespace Provider in Apple Bonjour for ...)
NOT-FOR-US: Apple Bonjour for Windows
CVE-2008-2325 (QuickLook in Apple Mac OS X 10.4.11 and 10.5.4 allows remote attackers ...)
@@ -112412,24 +112438,31 @@
CVE-2006-3465 (Unspecified vulnerability in the custom tag support for the TIFF ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3464 (TIFF library (libtiff) before 3.8.2 allows context-dependent attackers ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3463 (The EstimateStripByteCounts function in TIFF library (libtiff) before ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3462 (Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3461 (Heap-based buffer overflow in the PixarLog decoder in the TIFF library ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3460 (Heap-based buffer overflow in the JPEG decoder in the TIFF library ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3459 (Multiple stack-based buffer overflows in the TIFF library (libtiff) ...)
{DSA-1137-1}
- tiff 3.8.2-6
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-3486 (** DISPUTED ** ...)
- mysql-dfsg-5.0 5.0.22-4 (unimportant; bug #378102)
[sarge] - mysql-dfsg-4.1 <not-affected> (Vulnerable code not present)
@@ -114307,6 +114340,7 @@
CVE-2006-2656 (Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 ...)
{DSA-1091-1}
- tiff 3.8.2-3 (bug #369819; low)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-2643 (Cross-site scripting (XSS) vulnerability in index.php in Monster Top ...)
NOT-FOR-US: Monster Top List
CVE-2006-2642 (** UNVERIFIABLE ** ...)
@@ -115351,6 +115385,7 @@
CVE-2006-2193 (Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff ...)
{DSA-1091-1}
- tiff 3.8.2-4 (bug #371064; bug #370355; medium)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-2191 (** DISPUTED ** ...)
- mailman <unfixed> (unimportant)
NOTE: not exploitable
@@ -115504,6 +115539,7 @@
CVE-2006-2120 (The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers ...)
{DSA-1078-1}
- tiff 3.8.1 (bug #366588; medium)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-2119 (PHP remote file inclusion vulnerability in event/index.php in Artmedic ...)
NOT-FOR-US: Artmedic
CVE-2006-2118 (JMK's Picture Gallery allows remote attackers to bypass authentication ...)
@@ -115719,16 +115755,19 @@
[sarge] - tiff 3.7.2-3sarge1
[woody] - tiff 3.5.5-7woody1
- tiff 3.8.1
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-2025 (Integer overflow in the TIFFFetchData function in tif_dirread.c for ...)
{DSA-1054-1}
[sarge] - tiff 3.7.2-3sarge1
[woody] - tiff 3.5.5-7woody1
- tiff 3.8.1
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-2024 (Multiple vulnerabilities in libtiff before 3.8.1 allow ...)
{DSA-1054-1}
[sarge] - tiff 3.7.2-3sarge1
[woody] - tiff 3.5.5-7woody1
- tiff 3.8.1
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2006-2023 (Integer overflow in the RTSP_msg_len function in rtsp/RTSP_msg_len.c ...)
NOT-FOR-US: Fenice
CVE-2006-2022 (Buffer overflow in the parse_url function in the RTSP module ...)
@@ -119837,6 +119876,7 @@
NOT-FOR-US: MyBB (aka MyBulletinBoard)
CVE-2006-0405 (The TIFFFetchShortPair function in tif_dirread.c in libtiff 3.8.0 ...)
- tiff 3.8.0-2 (bug #350715)
+ - tiff3 <not-affected> (fixed prior to initial upload)
[sarge] - tiff <not-affected> (Vulnerability was introduced later)
[woody] - tiff <not-affected> (Vulnerability was introduced later)
CVE-2006-0404 (Note-A-Day Weblog 2.2 stores sensitive data under the web document ...)
@@ -127306,6 +127346,7 @@
CVE-2005-2452 (libtiff up to 3.7.0 allows remote attackers to cause a denial of ...)
NOTE: CVE description is broken, this only affects 3.6, it's been fixed in 3.7
- tiff 3.7.0-1
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2005-2451 (Cisco IOS 12.0 through 12.4 and IOS XR before 3.2, with IPv6 enabled, ...)
NOT-FOR-US: IOS
CVE-2005-2450 (Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file ...)
@@ -131034,6 +131075,7 @@
{DSA-755-1}
NOTE: CVE info about vulnerable version number is bogus
- tiff 3.7.2-3 (bug #309739)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2005-1543 (Multiple stack-based and heap-based buffer overflows in Remote ...)
NOT-FOR-US: Novell Zenworks
CVE-2005-1542
@@ -136809,8 +136851,10 @@
CVE-2004-1308 (Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff ...)
{DSA-617-1}
- tiff 3.6.1-4
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2004-1307 (Integer overflow in the TIFFFetchStripThing function in tif_dirread.c ...)
- tiff 3.7.0 (low)
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2004-1306 (Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 ...)
NOT-FOR-US: Windows
CVE-2004-1305 (The Windows Animated Cursor (ANI) capability in Windows NT, Windows ...)
@@ -137096,6 +137140,7 @@
CVE-2004-1183 (Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier ...)
{DSA-626-1}
- tiff 3.6.1-5
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2004-1182 (hfaxd in HylaFAX before 4.2.1, when installed with a "weak" ...)
{DSA-634-1}
- hylafax 1:4.2.1-1
@@ -137875,6 +137920,7 @@
{DSA-567-1}
- kdegraphics 3.3.2-1
- tiff 3.6.1-2
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2004-0885 (The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the ...)
- apache2 2.0.52-2
- libapache-mod-ssl 2.8.20-1
@@ -138072,10 +138118,12 @@
{DSA-567-1}
- kdegraphics 3.3.2-1
- tiff 3.6.1-2
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2004-0803 (Multiple vulnerabilities in the RLE (run length encoding) decoders for ...)
{DSA-567-1}
- kdegraphics 3.3.2-1
- tiff 3.6.1-2
+ - tiff3 <not-affected> (fixed prior to initial upload)
CVE-2004-0802 (Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote ...)
{DSA-552-1}
- imlib2 1.1.0-12.4
More information about the Secure-testing-commits
mailing list