[Secure-testing-commits] r28419 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Fri Aug 22 07:54:19 UTC 2014


Author: carnil
Date: 2014-08-22 07:54:19 +0000 (Fri, 22 Aug 2014)
New Revision: 28419

Modified:
   data/CVE/list
Log:
Add CVE-2014-5120, from external check list

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2014-08-22 04:36:21 UTC (rev 28418)
+++ data/CVE/list	2014-08-22 07:54:19 UTC (rev 28419)
@@ -697,8 +697,13 @@
 	RESERVED
 CVE-2014-5121
 	RESERVED
-CVE-2014-5120
+CVE-2014-5120 [NUL byte injection in filenames passed to image handling functions]
 	RESERVED
+	- php5 <unfixed>
+	- libgd2 <unfixed>
+	NOTE: https://bugs.php.net/bug.php?id=67730
+	NOTE: https://bugs.php.net/patch-display.php?bug_id=67730&patch=gd-null-injection&revision=latest
+	TODO: check, possibly does not affect the libgd library itself, only the copy in php
 CVE-2014-5115 (Absolute path traversal vulnerability in DirPHP 1.0 allows remote ...)
 	NOT-FOR-US: DirPHP
 CVE-2014-5114 (WeBid 1.1.1 allows remote attackers to conduct an LDAP injection ...)




More information about the Secure-testing-commits mailing list