[Secure-testing-commits] r58624 - in data: . CVE
Ola Lundqvist
opal at moszumanska.debian.org
Sat Dec 16 19:16:25 UTC 2017
Author: opal
Date: 2017-12-16 19:16:24 +0000 (Sat, 16 Dec 2017)
New Revision: 58624
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Triage results.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-12-16 18:16:13 UTC (rev 58623)
+++ data/CVE/list 2017-12-16 19:16:24 UTC (rev 58624)
@@ -4495,6 +4495,7 @@
TODO: check
CVE-2017-17670 (In VideoLAN VLC media player through 2.2.8, there is a type conversion ...)
- vlc <unfixed>
+ [wheezy] - vlc <end-of-life> (Not supported wheezy LTS)
NOTE: http://www.openwall.com/lists/oss-security/2017/12/15/1
NOTE: POC: https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68
CVE-2017-17669 (There is a heap-based buffer over-read in the ...)
@@ -4887,6 +4888,7 @@
- python3.5 <unfixed>
- python3.6 <unfixed>
- python3.7 <unfixed>
+ [wheezy] - jython <not-affected> (Vulnerable code is not provided in the binary package)
NOTE: Lib/webbrowser.py does not validate strings before launching the program
NOTE: specified by the BROWSER environment variable.
CVE-2017-17521 (uiutil.c in FontForge through 20170731 does not validate strings before ...)
@@ -4908,9 +4910,11 @@
NOTE: The motivation for being minor in wheezt is that it is only for browsing help pages so the attack vector is limited.
CVE-2017-17518 (swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not ...)
- whitedune <unfixed>
+ [wheezy] - whitedune <no-dsa> (Minor issue. Vulnerable code present but an attacker can not control the URL so it is impossible to trigger it)
NOTE: https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214
CVE-2017-17517 (libsylph/utils.c in Sylpheed through 3.6 does not validate strings ...)
- sylpheed <unfixed>
+ [wheezy] - sylpheed <no-dsa> (Minor issue)
NOTE: https://sources.debian.org/src/sylpheed/3.5.1-1/libsylph/utils.c/?hl=4292#L4292
CVE-2017-17516 (scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 ...)
- rtv <unfixed>
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-12-16 18:16:13 UTC (rev 58623)
+++ data/dla-needed.txt 2017-12-16 19:16:24 UTC (rev 58624)
@@ -82,6 +82,15 @@
--
otrs2 (Emilio Pozuelo)
--
+python2.6
+ NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.
+--
+python2.7
+ NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.
+--
+python3.2
+ NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.
+--
qemu (Guido Günther)
--
qemu-kvm (Guido Günther)
@@ -102,6 +111,8 @@
--
tiff3
--
+tkabber
+--
tor
--
wireshark (Thorsten Alteholz)
More information about the Secure-testing-commits
mailing list