[Secure-testing-commits] r50668 - data/CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Fri Apr 14 13:38:12 UTC 2017


Author: hertzog
Date: 2017-04-14 13:38:12 +0000 (Fri, 14 Apr 2017)
New Revision: 50668

Modified:
   data/CVE/list
Log:
Add some data about CVE-2016-10317

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-04-14 13:37:29 UTC (rev 50667)
+++ data/CVE/list	2017-04-14 13:38:12 UTC (rev 50668)
@@ -1167,8 +1167,14 @@
 	[jessie] - horizon <not-affected> (Vulnerable code not present)
 	NOTE: https://launchpad.net/bugs/1667086
 CVE-2016-10317 (The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex ...)
-	- ghostscript <undetermined>
+	- ghostscript <unfixed>
+	[wheezy] - ghostscript <no-dsa> (Not directly reproducible, to re-evaluate once the upstream fix is known)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697459
+	NOTE: I got the reproducer file from the bug submitter and tried to reproduce it.
+	NOTE: Results are the following: sid/stretch with 9.20~dfsg-3 are
+	NOTE: affected, it even segfaults. But with wheezy 9.05~dfsg-6.3+deb7u2
+	NOTE: and jessie 9.06~dfsg-2+deb8u4, we have no segfault and valgrind
+	NOTE: reports no buffer overrun. -- Raphael Hertzog
 CVE-2017-1001000 (The register_routes function in ...)
 	- wordpress 4.7.2+dfsg-1
 	[jessie] - wordpress <not-affected> (Vulnerable code introduced after 4.4)




More information about the Secure-testing-commits mailing list