[Secure-testing-commits] r48169 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Wed Jan 18 21:21:00 UTC 2017
Author: jmm
Date: 2017-01-18 21:21:00 +0000 (Wed, 18 Jan 2017)
New Revision: 48169
Modified:
data/CVE/list
Log:
more jasper triage
NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-01-18 21:10:11 UTC (rev 48168)
+++ data/CVE/list 2017-01-18 21:21:00 UTC (rev 48169)
@@ -310,9 +310,10 @@
TODO: check
CVE-2017-5505
RESERVED
- - jasper <removed>
+ - jasper <removed> (unimportant)
NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c
NOTE: https://github.com/mdadams/jasper/issues/88
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2017-5504
RESERVED
- jasper <removed>
@@ -5301,6 +5302,7 @@
RESERVED
CVE-2017-3387
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3386
RESERVED
CVE-2017-3385
@@ -5337,8 +5339,10 @@
RESERVED
CVE-2017-3369
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3368
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3367
RESERVED
CVE-2017-3366
@@ -5507,6 +5511,7 @@
RESERVED
CVE-2017-3303
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3302
RESERVED
CVE-2017-3301
@@ -5558,24 +5563,30 @@
RESERVED
CVE-2017-3286
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3285
RESERVED
CVE-2017-3284
RESERVED
CVE-2017-3283
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3282
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3281
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3280
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3279
RESERVED
CVE-2017-3278
RESERVED
CVE-2017-3277
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3276
RESERVED
NOT-FOR-US: Solaris
@@ -5687,6 +5698,7 @@
RESERVED
CVE-2017-3246
RESERVED
+ NOT-FOR-US: Oracle
CVE-2017-3245
RESERVED
NOT-FOR-US: Oracle FLEXCUBE
@@ -15493,12 +15505,13 @@
CVE-2016-8887 [NULL pointer dereference in jp2_colr_destroy (jp2_cod.c)]
RESERVED
{DLA-739-1}
- - jasper <removed>
+ - jasper <removed> (unimportant)
NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c
NOTE: Fixed by: https://github.com/mdadams/jasper/commit/e24bdc716c3327b067c551bc6cfb97fd2370358d (version-1.900.10)
NOTE: When fixing this issue look at the followup report
NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887
NOTE: and include the fix to not make jasper vulnerable to the incomplete fix.
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2016-8886 [memory allocation failure in jas_malloc (jas_malloc.c)]
RESERVED
- jasper <removed> (low)
@@ -15520,14 +15533,16 @@
NOTE: https://blogs.gentoo.org/ago/2016/10/18/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c-incomplete-fix-for-cve-2016-8690
CVE-2016-8883 (The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 ...)
{DLA-739-1}
- - jasper <removed>
+ - jasper <removed> (unimportant)
NOTE: https://github.com/mdadams/jasper/issues/32
NOTE: https://github.com/mdadams/jasper/commit/33cc2cfa51a8d0fc3116d16cc1d8fc581b3f9e8d
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2016-8882 (The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer ...)
{DLA-739-1}
- - jasper <removed>
+ - jasper <removed> (unimportant)
NOTE: https://github.com/mdadams/jasper/issues/30
NOTE: https://github.com/mdadams/jasper/commit/69a1439a5381e42b06ec6a06ed2675eb793babee (version-1.900.8)
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2016-8881
REJECTED
CVE-2016-8880
@@ -15675,15 +15690,17 @@
CVE-2016-8692 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c]
RESERVED
{DLA-739-1}
- - jasper <removed> (low; bug #841111)
+ - jasper <removed> (unimportant; low; bug #841111)
NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/
NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4)
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2016-8691 [FPE on unknown address ... jpc_dec_process_siz ... jpc_dec.c]
RESERVED
{DLA-739-1}
- - jasper <removed> (bug #841111)
+ - jasper <removed> (unimportant; bug #841111)
NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-divide-by-zero-in-jpc_dec_process_siz-jpc_dec-c/
NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d8c2604cd438c41ec72aff52c16ebd8183068020 (version-1.900.4)
+ NOTE: Not suitable for code injection, hardly denial of service
CVE-2016-8690 [SEGV on unknown address ... bmp_getdata ... bmp_dec.c]
RESERVED
- jasper <removed> (low; bug #841112)
More information about the Secure-testing-commits
mailing list