[Secure-testing-commits] r49229 - data/CVE

Michael Gilbert mgilbert at moszumanska.debian.org
Sun Feb 26 05:23:43 UTC 2017 

Author: mgilbert
Date: 2017-02-26 05:23:43 +0000 (Sun, 26 Feb 2017)
New Revision: 49229

Modified:
   data/CVE/list
Log:
research libvpx issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-02-26 04:41:10 UTC (rev 49228)
+++ data/CVE/list	2017-02-26 05:23:43 UTC (rev 49229)
@@ -14830,7 +14830,8 @@
 CVE-2017-0394 (A denial of service vulnerability in Telephony could enable a remote ...)
 	NOT-FOR-US: Android Telephony
 CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could ...)
-	NOT-FOR-US: Android Mediaserver
+	- libvpx 1.6.1-1
+	NOTE: probably fixed earlier, but this was the version checked
 CVE-2017-0392 (A denial of service vulnerability in VBRISeeker.cpp in libstagefright ...)
 	NOT-FOR-US: libstagefright
 CVE-2017-0391 (A denial of service vulnerability in decoder/ihevcd_decode.c in ...)
@@ -24725,9 +24726,11 @@
 CVE-2016-6713 (A remote denial of service vulnerability in Mediaserver in Android 6.x ...)
 	NOT-FOR-US: Android Mediaserver
 CVE-2016-6712 (A remote denial of service vulnerability in libvpx in Mediaserver in ...)
-	NOT-FOR-US: Android Mediaserver
+	- libvpx 1.6.1-1
+	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-6711 (A remote denial of service vulnerability in libvpx in Mediaserver in ...)
-	NOT-FOR-US: Android Mediaserver
+	- libvpx 1.6.1-1
+	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-6710 (An information disclosure vulnerability in the download manager in ...)
 	NOT-FOR-US: Android
 CVE-2016-6709 (An information disclosure vulnerability in Conscrypt and BoringSSL in ...)
@@ -34763,7 +34766,8 @@
 CVE-2016-3882 (Off-by-one error in server/wifi/anqp/VenueNameElement.java in Wi-Fi in ...)
 	TODO: check
 CVE-2016-3881 (The decoder_peek_si_internal function in vp9/vp9_dx_iface.c in libvpx ...)
-	TODO: check
+	- libvpx 1.6.1-1
+	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-3880 (Multiple buffer overflows in rtsp/ASessionDescription.cpp in ...)
 	TODO: check
 CVE-2016-3879 (arm-wt-22k/lib_src/eas_mdls.c in mediaserver in Android 4.x before ...)
@@ -38862,7 +38866,8 @@
 CVE-2016-2465 (The Qualcomm video driver in Android before 2016-06-01 on Nexus 5, 5X, ...)
 	NOT-FOR-US: Qualcomm driver for Android
 CVE-2016-2464 (libvpx in libwebm in mediaserver in Android 4.x before 4.4.4, 5.0.x ...)
-	TODO: check
+	- libvpx 1.6.1-1
+	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-2463 (Multiple integer overflows in the h264dec component in libstagefright ...)
 	NOT-FOR-US: libstagefright
 CVE-2016-2462 (OpenSSLCipher.java in Conscrypt in Android 6.x before 2016-05-01 ...)
@@ -40864,6 +40869,7 @@
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2016-33/
 CVE-2016-1972 (Race condition in libvpx in Mozilla Firefox before 45.0 on Windows ...)
 	- iceweasel <not-affected> (Windows-specific)
+	- libvpx <not-affected> (Windows-specific)
 CVE-2016-1971 (The I420VideoFrame::CreateFrame function in the WebRTC implementation ...)
 	- iceweasel <not-affected> (Windows-specific)
 CVE-2016-1970 (Integer underflow in the srtp_unprotect function in the WebRTC ...)
@@ -42189,10 +42195,11 @@
 	[wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy)
 	[squeeze] - chromium-browser <end-of-life> (Not supported in Squeeze LTS)
 CVE-2016-1621 (libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 ...)
-	- libvpx <unfixed>
+	- libvpx 1.6.1-1
 	[jessie] - libvpx <not-affected> (Vulnerable code not present, libwebm not yet included)
 	[wheezy] - libvpx <not-affected> (Vulnerable code not present, libwebm not yet included)
 	NOTE: https://android.googlesource.com/platform/external/libvpx/+/04839626ed859623901ebd3a5fd483982186b59d%5E!/#F1
+	NOTE: probably fixed earlier than this version, but this was the version checked
 CVE-2016-1620 (Multiple unspecified vulnerabilities in Google Chrome before ...)
 	{DSA-3456-1}
 	- chromium-browser 48.0.2564.82-1
@@ -58800,10 +58807,11 @@
 	{DSA-3365-1}
 	- iceweasel 38.3.0esr-1
 	[squeeze] - iceweasel <end-of-life>
-	- libvpx <unfixed>
+	- libvpx 1.4.0-4 (unimportant)
 	[squeeze] - libvpx <not-affected> (no vp9 support in this version)
 	[wheezy] - libvpx <not-affected> (no vp9 support in this version)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-101/
+	NOTE: this is a duplicate of CVE-2015-1258, libvpx in google chrome
 CVE-2015-4505 (updater.exe in Mozilla Firefox before 41.0 and Firefox ESR 38.x before ...)
 	- iceweasel <not-affected> (Windows-specific)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2015-100/

More information about the Secure-testing-commits mailing list