[Secure-testing-commits] r55316 - in data: . CVE

Thu Aug 31 14:00:27 UTC 2017

Author: anarcat
Date: 2017-08-31 14:00:27 +0000 (Thu, 31 Aug 2017)
New Revision: 55316

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
CVE-2017-7506 not present in wheezy

I have audited the code and the vulnerability is specifically bound to
the reds_on_main_agent_monitors_config function, which is simply not
present. a hostile message would fall through the code and not provoke
memory allocation or out of bounds access.



Modified: data/CVE/list
===================================================================

--- data/CVE/list	2017-08-31 13:48:46 UTC (rev 55315)
+++ data/CVE/list	2017-08-31 14:00:27 UTC (rev 55316)
@@ -18429,6 +18429,7 @@
 CVE-2017-7506 (spice versions though 0.13 are vulnerable to out-of-bounds memory ...)
 	{DSA-3907-1}
 	- spice 0.12.8-2.2 (bug #868083)
+	[wheezy] - spice <not-affected> (Vulnerable code not introduced later)
 CVE-2017-7505 (Foreman since version 1.5 is vulnerable to an incorrect authorization ...)
 	- foreman <itp> (bug #663101)
 CVE-2017-7504 (HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the ...)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-08-31 13:48:46 UTC (rev 55315)
+++ data/dla-needed.txt	2017-08-31 14:00:27 UTC (rev 55316)
@@ -155,12 +155,6 @@
   NOTE: No patches. Contacted upstream. Waiting for feedback
   NOTE: > 12% of sponsors use sox hence I have decided to add it here.
 --
-spice (anarcat)
-  NOTE: CVE-2017-7506 already fixed in jessie. Can take patch there.
-  NOTE: (Markus Koschany) Patch from Jessie does not apply. Function
-  NOTE: reds_on_main_agent_monitors_config does not exist. Unclear how issue
-  NOTE: can be triggered/verified in this version
---
 tcpdump (Guido Günther)
   NOTE: Contacted upstream regarding CVE-2017-11543
   NOTE: package otherwise ready for upload


