[Secure-testing-commits] r46586 - data/CVE

Thorsten Alteholz alteholz at moszumanska.debian.org
Sat Nov 26 21:47:15 UTC 2016 

Author: alteholz
Date: 2016-11-26 21:47:15 +0000 (Sat, 26 Nov 2016)
New Revision: 46586

Modified:
   data/CVE/list
Log:
take care of some jasper issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-11-26 20:02:32 UTC (rev 46585)
+++ data/CVE/list	2016-11-26 21:47:15 UTC (rev 46586)
@@ -547,6 +547,7 @@
 CVE-2016-9557 [signed integer overflow in jas_image.c]
 	RESERVED
 	- jasper <removed>
+	[wheezy] - jasper <no-dsa> (the fix is too invasive)
 	NOTE: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
 CVE-2016-9555 [net/sctp: slab-out-of-bounds in sctp_sf_ootb]
@@ -1457,6 +1458,7 @@
 CVE-2016-9262 [use after free in jas_realloc (jas_malloc.c)]
 	RESERVED
 	- jasper <removed>
+	[wheezy] - jasper <no-dsa> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/634ce8e8a5accc0fa05dd2c20d42b4749d4b2735
 	NOTE: https://blogs.gentoo.org/ago/2016/11/07/jasper-use-after-free-in-jas_realloc-jas_malloc-c
 CVE-2016-9258
@@ -2857,6 +2859,7 @@
 	RESERVED
 	- jasper <removed> (low)
 	[jessie] - jasper <no-dsa> (Minor issue)
+	[wheezy] - jasper <no-dsa> (Minor issue)
 	NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c
 CVE-2016-XXXX [sendmail: Privilege escalation from group smmsp to root]
 	- sendmail <unfixed> (bug #841257)
@@ -2884,10 +2887,12 @@
 CVE-2016-8881 [Heap overflow in jpc_getuint16()]
 	RESERVED
 	- jasper <removed>
+	[wheezy] - jasper <no-dsa> (no patch available for just this issue)
 	NOTE: https://github.com/mdadams/jasper/issues/29
 CVE-2016-8880 [Heap overflow in jpc_dec_cp_setfromcox()]
 	RESERVED
 	- jasper <removed>
+	[wheezy] - jasper <no-dsa> (no patch available for just this issue)
 	NOTE: https://github.com/mdadams/jasper/issues/28
 CVE-2016-8866 [memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862)]
 	RESERVED

More information about the Secure-testing-commits mailing list