[Secure-testing-commits] r58868 - data/CVE

Sat Dec 23 13:34:27 UTC 2017

Author: carnil
Date: 2017-12-23 13:34:27 +0000 (Sat, 23 Dec 2017)
New Revision: 58868

Modified:
   data/CVE/list
Log:
Mark CVE-2017-17522 as unimportant

Hardly an issue with security impact and as well disputed upstream as
the code in question relies on further processing via subprocess.Popen
and with the default shell=False.

Modified: data/CVE/list
===================================================================

--- data/CVE/list	2017-12-23 13:31:03 UTC (rev 58867)
+++ data/CVE/list	2017-12-23 13:34:27 UTC (rev 58868)
@@ -5404,18 +5404,20 @@
 	[wheezy] - lilypond <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/testlilyissues/issues/5243/
 CVE-2017-17522 (** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not ...)
-	- jython <unfixed>
+	- jython <unfixed> (unimportant)
 	[wheezy] - jython <not-affected> (Vulnerable code is not provided in the binary package)
-	- python2.6 <removed>
-	- python2.7 <unfixed>
-	- python3.2 <removed>
-	- python3.4 <removed>
-	- python3.5 <unfixed>
-	- python3.6 <unfixed>
-	- python3.7 <unfixed>
+	- python2.6 <removed> (unimportant)
+	- python2.7 <unfixed> (unimportant)
+	- python3.2 <removed> (unimportant)
+	- python3.4 <removed> (unimportant)
+	- python3.5 <unfixed> (unimportant)
+	- python3.6 <unfixed> (unimportant)
+	- python3.7 <unfixed> (unimportant)
 	NOTE: Lib/webbrowser.py does not validate strings before launching the program
 	NOTE: specified by the BROWSER environment variable.
 	NOTE: https://bugs.python.org/issue32367
+	NOTE: Hardly an issue with security impact, as the problematic code further relies
+	NOTE: on subprocess.Popen with the default shell=False.
 CVE-2017-17521 (uiutil.c in FontForge through 20170731 does not validate strings before ...)
 	- fontforge <unfixed> (unimportant)
 	NOTE: https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/fontforgeexe/uiutil.c/#L285


