[Secure-testing-commits] r54304 - data/CVE

Sat Aug 5 03:32:24 UTC 2017

Author: carnil
Date: 2017-08-05 03:32:24 +0000 (Sat, 05 Aug 2017)
New Revision: 54304

Modified:
   data/CVE/list
Log:
Adjust CVE-2017-11423

A distribution tagged entry only is almost always not right for
tracking. Adjus the entry to track clamav source package as whole, mark
as unimportant since when available it's unsing libmspack library
instead of the embedded one. Add clarifying note so it's clear that
wheezy needs to be fixed separately if wanted by the LTS team.

Modified: data/CVE/list
===================================================================

--- data/CVE/list	2017-08-04 22:28:56 UTC (rev 54303)
+++ data/CVE/list	2017-08-05 03:32:24 UTC (rev 54304)
@@ -2510,11 +2510,15 @@
 	RESERVED
 CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, ...)
 	- libmspack <unfixed> (bug #868956)
-	[wheezy] - clamav <unfixed>
+	- clamav <unfixed> (unimportant)
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public)
 	NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul
-	NOTE: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
-	NOTE: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96
+	NOTE: ClamAV: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
+	NOTE: ClamaV: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96
+	NOTE: ClamAV uses the libmspack system library when available. This is the
+	NOTE: case from starting from Debian Jessie. Debian Wheezy does not have
+	NOTE: does not have libmspack and thus need to have the fix as well in the
+	NOTE: src:clamav source package.
 CVE-2017-11422 (Statamic framework before 2.6.0 does not correctly check a session's ...)
 	NOT-FOR-US: Statamic
 CVE-2017-11420 (Stack-based buffer overflow in ASUS_Discovery.c in networkmap in ...)


