[Secure-testing-commits] r46540 - in data: . CVE

[Raphaël Hertzog]

Author: hertzog
Date: 2016-11-25 11:20:38 +0000 (Fri, 25 Nov 2016)
New Revision: 46540

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Mark dwarfutils CVE as no-dsa on wheezy and drop entry from dla-needed.txt

Handling untrusted debug symbols is not very common use case. And
only kcov uses libdwarf-dev so we don't have much users of the library.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-11-25 11:10:52 UTC (rev 46539)
+++ data/CVE/list	2016-11-25 11:20:38 UTC (rev 46540)
@@ -154,6 +154,7 @@
 CVE-2016-9558 [negation overflow in dwarf_leb.c]
 	- dwarfutils <unfixed> (bug #845408)
 	[jessie] - dwarfutils <no-dsa> (Minor issue)
+	[wheezy] - dwarfutils <no-dsa> (Minor issue)
 	NOTE: https://blogs.gentoo.org/ago/2016/11/19/libdwarf-negation-overflow-in-dwarf_leb-c
 	NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9/#diff-5
 CVE-2016-9557 [signed integer overflow in jas_image.c]
@@ -1002,6 +1003,7 @@
 	RESERVED
 	- dwarfutils <unfixed> (bug #844011)
 	[jessie] - dwarfutils <no-dsa> (Minor issue)
+	[wheezy] - dwarfutils <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/libdwarf/code/ci/583f8834083b5ef834c497f5b47797e16101a9a6/
 	NOTE: https://blogs.gentoo.org/ago/2016/11/07/libdwarf-heap-based-buffer-overflow-in-dwarf_get_aranges_list-dwarf_arange-c
 	NOTE: Same commit as for CVE-2016-9275. Needs the dwarf_arange.c part of the commit.
@@ -3288,6 +3290,7 @@
 	RESERVED
 	- dwarfutils 20161001-2 (bug #840958)
 	[jessie] - dwarfutils <no-dsa> (Minor issue)
+	[wheezy] - dwarfutils <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/11
 	NOTE: https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13
 	NOTE: https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2
@@ -3296,12 +3299,14 @@
 	RESERVED
 	- dwarfutils 20161001-2 (bug #840960)
 	[jessie] - dwarfutils <no-dsa> (Minor issue)
+	[wheezy] - dwarfutils <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/12
 	NOTE: https://sourceforge.net/p/libdwarf/code/ci/268c1f18d1d28612af3b72d7c670076b1b88e51c/tree/libdwarf/dwarf_util.c?diff=0b28b923c3bd9827d1d904feed2abadde4fa5de2
 CVE-2016-8681 [dwarf_util.c: heap-based buffer overflow in _dwarf_get_abbrev_for_code second one]
 	RESERVED
 	- dwarfutils 20161001-2 (bug #840961)
 	[jessie] - dwarfutils <no-dsa> (Minor issue)
+	[wheezy] - dwarfutils <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/libdwarf/code/ci/2d14a7792889e33bc542c28d0f3792964c46214f/#diff-13
 	NOTE: https://sourceforge.net/p/libdwarf/code/ci/efe48cad0693d6994d9a7b561e1c3833b073a624/#diff-2
 	NOTE: http://www.openwall.com/lists/oss-security/2016/10/08/13

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2016-11-25 11:10:52 UTC (rev 46539)
+++ data/dla-needed.txt	2016-11-25 11:20:38 UTC (rev 46540)
@@ -12,9 +12,6 @@
 --
 asterisk
 --
-dwarfutils
-  NOTE: New round of CVEs not seemingly covered by DLA 669-1.
---
 firefox-esr
 --
 gst-plugins-good0.10 (Emilio Pozuelo)