[Secure-testing-commits] r39614 - in data: . CVE

Antoine Beaupré anarcat at moszumanska.debian.org
Thu Feb 11 20:29:05 UTC 2016 

Author: anarcat
Date: 2016-02-11 20:29:05 +0000 (Thu, 11 Feb 2016)
New Revision: 39614

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
squeeze is most likely not affected by libraw vulns, but identify which packages which could be in other versions

based on ubuntu's assesment and a summary search

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-02-11 19:40:15 UTC (rev 39613)
+++ data/CVE/list	2016-02-11 20:29:05 UTC (rev 39614)
@@ -6992,18 +6992,32 @@
 	[jessie] - libraw 0.16.0-9+deb8u2
 	[wheezy] - libraw <not-affected> (Vulnerable code not present)
 	[squeeze] - libraw <not-affected> (Vulerable code not present)
+	- dcraw <undetermined>
+	- kodi <undetermined>
+	- darktable <undetermined>
+	- ufraw <undetermined>
+	- rawtherapee <undetermined>
+	- exactimage <undetermined>
+	- xbmc <undetermined>
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
 	NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/7b1430c76a19c93f3cc755bb2ff9bda0ba9b4082 (0.15.0)
-	TODO: check other copies containing libraw code, double check introducing commit
+	TODO: double check introducing commit and related packages
 CVE-2015-8366 [Index overflow in smal_decode_segment]
 	RESERVED
 	- libraw 0.17.1-1 (bug #806809)
 	[jessie] - libraw 0.16.0-9+deb8u2
 	[wheezy] - libraw <not-affected> (Vulnerable code not present)
 	[squeeze] - libraw <not-affected> (Vulnerable code not present)
+	- dcraw <undetermined>
+	- kodi <undetermined>
+	- darktable <undetermined>
+	- ufraw <undetermined>
+	- rawtherapee <undetermined>
+	- exactimage <undetermined>
+	- xbmc <undetermined>
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
 	NOTE: Introduced by: https://github.com/LibRaw/LibRaw/commit/cfe3ab8da7276fb339de770a3d1b7bfb212620b7
-	TODO: check other copies containing libraw code, double check introducing commit
+	TODO: double check introducing commit and related packages
 CVE-2015-8365 (The smka_decode_frame function in libavcodec/smacker.c in FFmpeg ...)
 	- ffmpeg 7:2.8.3-1 (bug #806519)
 	[squeeze] - ffmpeg <end-of-life> (Not supported in Squeeze LTS)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2016-02-11 19:40:15 UTC (rev 39613)
+++ data/dla-needed.txt	2016-02-11 20:29:05 UTC (rev 39614)
@@ -37,9 +37,6 @@
 --
 krb5 (Thorsten Alteholz)
 --
-libraw (antoine beaupré)
-  NOTE: libraw is not affected, but copies in other packages need to be checked, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806809
---
 lxc (Mike Gabriel)
   NOTE: waiting for upstream feedback: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/comments/77
 --

More information about the Secure-testing-commits mailing list