[Secure-testing-commits] r48888 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-02-13 21:57:12 +0000 (Mon, 13 Feb 2017)
New Revision: 48888

Modified:
   data/CVE/list
Log:
libwebp unimportant


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-02-13 21:55:06 UTC (rev 48887)
+++ data/CVE/list	2017-02-13 21:57:12 UTC (rev 48888)
@@ -5487,7 +5487,7 @@
 CVE-2017-3903
 	RESERVED
 CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user interface ...)
-	TODO: check
+	NOT-FOR-US: Intel Security ePO
 CVE-2017-3901
 	RESERVED
 CVE-2017-3900
@@ -5499,7 +5499,7 @@
 CVE-2017-3897
 	RESERVED
 CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing ...)
-	TODO: check
+	NOT-FOR-US: Intel McAfee
 CVE-2017-3895
 	RESERVED
 CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before ...)
@@ -16621,13 +16621,14 @@
 CVE-2016-9031 (An exploitable integer overflow exists in the Joyent SmartOS ...)
 	NOT-FOR-US: Joyent SmartOS
 CVE-2016-9085 (Multiple integer overflows in libwebp allows attackers to have ...)
-	- libwebp <unfixed> (bug #842714)
+	- libwebp <unfixed> (unimportant; bug #842714)
 	[wheezy] - libwebp <not-affected> (vulnerable code not present)
 	NOTE: https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83
 	NOTE: Report: https://bugs.chromium.org/p/webp/issues/detail?id=314 (private)
 	NOTE: For libwebp only in examples, but other projects seem to use the gifdec.c
 	NOTE: Origin of the file seems to be from libav
-	TODO: check: 0.5.1-3 claims the upload fixed CVE-2016-8888 and CVE-2016-9085 but the taken patch looks different, needs investigation
+	NOTE: 0.5.1-3 claims the upload fixed CVE-2016-8888 and CVE-2016-9085 but the taken patches
+	NOTE: look different, needs further investigation before marking as fixed
 CVE-2016-9084 (drivers/vfio/pci/vfio_pci_intrs.c in the Linux kernel through 4.8.11 ...)
 	- linux 4.8.11-1
 	[jessie] - linux 3.16.39-1