[Secure-testing-commits] r58624 - in data: . CVE

Ola Lundqvist opal at moszumanska.debian.org
Sat Dec 16 19:16:25 UTC 2017 

Author: opal
Date: 2017-12-16 19:16:24 +0000 (Sat, 16 Dec 2017)
New Revision: 58624

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triage results.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-12-16 18:16:13 UTC (rev 58623)
+++ data/CVE/list	2017-12-16 19:16:24 UTC (rev 58624)
@@ -4495,6 +4495,7 @@
 	TODO: check
 CVE-2017-17670 (In VideoLAN VLC media player through 2.2.8, there is a type conversion ...)
 	- vlc <unfixed>
+	[wheezy] - vlc <end-of-life> (Not supported wheezy LTS)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/12/15/1
 	NOTE: POC: https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68
 CVE-2017-17669 (There is a heap-based buffer over-read in the ...)
@@ -4887,6 +4888,7 @@
 	- python3.5 <unfixed>
 	- python3.6 <unfixed>
 	- python3.7 <unfixed>
+	[wheezy] - jython <not-affected> (Vulnerable code is not provided in the binary package)
 	NOTE: Lib/webbrowser.py does not validate strings before launching the program
 	NOTE: specified by the BROWSER environment variable.
 CVE-2017-17521 (uiutil.c in FontForge through 20170731 does not validate strings before ...)
@@ -4908,9 +4910,11 @@
 	NOTE: The motivation for being minor in wheezt is that it is only for browsing help pages so the attack vector is limited.
 CVE-2017-17518 (swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not ...)
 	- whitedune <unfixed>
+	[wheezy] - whitedune <no-dsa> (Minor issue. Vulnerable code present but an attacker can not control the URL so it is impossible to trigger it)
 	NOTE: https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214
 CVE-2017-17517 (libsylph/utils.c in Sylpheed through 3.6 does not validate strings ...)
 	- sylpheed <unfixed>
+	[wheezy] - sylpheed <no-dsa> (Minor issue)
 	NOTE: https://sources.debian.org/src/sylpheed/3.5.1-1/libsylph/utils.c/?hl=4292#L4292
 CVE-2017-17516 (scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 ...)
 	- rtv <unfixed>

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-12-16 18:16:13 UTC (rev 58623)
+++ data/dla-needed.txt	2017-12-16 19:16:24 UTC (rev 58624)
@@ -82,6 +82,15 @@
 --
 otrs2 (Emilio Pozuelo)
 --
+python2.6
+  NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.
+--
+python2.7
+  NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.
+--
+python3.2
+  NOTE: webbrowser.py as binary is hard to exploit, but when using it as an import then it may be possible to trigger something. Should be fixed to be on the safe side even though it is not an urgent problem.
+--
 qemu (Guido Günther)
 --
 qemu-kvm (Guido Günther)
@@ -102,6 +111,8 @@
 --
 tiff3
 --
+tkabber
+--
 tor
 --
 wireshark (Thorsten Alteholz)

More information about the Secure-testing-commits mailing list