[Secure-testing-commits] r45697 - data/CVE

Fri Oct 28 10:39:39 UTC 2016

Author: hertzog
Date: 2016-10-28 10:39:39 +0000 (Fri, 28 Oct 2016)
New Revision: 45697

Modified:
   data/CVE/list
Log:
Update status of many CVE for tiff3

Modified: data/CVE/list
===================================================================

--- data/CVE/list	2016-10-28 08:34:33 UTC (rev 45696)
+++ data/CVE/list	2016-10-28 10:39:39 UTC (rev 45697)
@@ -1937,7 +1937,9 @@
 	RESERVED
 	- tiff <unfixed>
 	- tiff3 <removed>
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0190/
+	NOTE: From the backtrace shared in the report, we can see that the crash is triggered though the thumbnail tool which has been dropped upstream.
 CVE-2016-8330
 	RESERVED
 CVE-2016-8329
@@ -10547,6 +10549,7 @@
 	RESERVED
 	- tiff <unfixed>
 	- tiff3 <removed>
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0187/
 	NOTE: https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63
 CVE-2016-5651
@@ -12932,6 +12935,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed> (unimportant)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff-tools)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2552
 	NOTE: confirmed this still crashes with latest CVS, version v4.0.6
 	NOTE: also confirmed this crashes v4.0.2 in wheezy
@@ -17240,7 +17244,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed> (low)
-	[wheezy] - tiff3 <no-dsa> (Minor issue and tiffset uses libtiff5 from tiff and not libtiff4 from tiff3)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2546
 	NOTE: Duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2500
 CVE-2016-3657 (Buffer overflow in the GlobalProtect Portal in Palo Alto Networks ...)
@@ -17294,6 +17298,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed> (unimportant)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2547
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
@@ -17303,6 +17308,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed> (unimportant)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2548
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
@@ -17312,6 +17318,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed> (unimportant)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2549
 	NOTE: Upstream will remove thumbnail from 4.0.7 release
@@ -17321,6 +17328,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed> (unimportant)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: src:tiff3: built binary packages do not contain the TIFF tools
 	NOTE: No patch available. Issue marked as wontfix by upstream.
 CVE-2016-3630 (The binary delta decoder in Mercurial before 3.7.3 allows remote ...)
@@ -17340,7 +17348,7 @@
 	[jessie] - tiff <no-dsa> (Minor issue)
 	[wheezy] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed>
-	[wheezy] - tiff3 <no-dsa> (Minor issue)
+	[wheezy] - tiff3 <not-affected> (Does not ship libtiff tools)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2566
 CVE-2016-3624 (The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and ...)
 	- tiff <unfixed>


