[Secure-testing-commits] r48305 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Mon Jan 23 18:23:55 UTC 2017 

Author: jmm
Date: 2017-01-23 18:23:54 +0000 (Mon, 23 Jan 2017)
New Revision: 48305

Modified:
   data/CVE/list
Log:
more jasper triage


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-01-23 17:14:59 UTC (rev 48304)
+++ data/CVE/list	2017-01-23 18:23:54 UTC (rev 48305)
@@ -455,9 +455,10 @@
 	NOTE: https://github.com/mdadams/jasper/issues/64
 CVE-2017-5499
 	RESERVED
-	- jasper <removed>
+	- jasper <removed> (unimportant)
 	NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c
 	NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/
+	NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service
 CVE-2017-5498
 	RESERVED
 	- jasper <removed> (unimportant)
@@ -12632,9 +12633,10 @@
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697457
 CVE-2016-9600 [Null Pointer Dereference due to missing check for UNKNOWN color space in JP2 encoder]
 	RESERVED
-	- jasper <removed>
+	- jasper <removed> (unimportant)
 	NOTE: https://github.com/mdadams/jasper/issues/109
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/a632c6b54bd4ffc3bebab420e00b7e7688aa3846
+	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-9599
 	RESERVED
 	NOT-FOR-US: puppet-tripleo
@@ -12699,12 +12701,13 @@
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/15/5
 CVE-2016-9583 [Out of bounds heap read in jpc_pi_nextpcrl()]
 	RESERVED
-	- jasper <removed>
+	- jasper <removed> (unimportant)
 	NOTE: https://github.com/mdadams/jasper/issues/103
 	NOTE: Fixed by https://github.com/mdadams/jasper/commit/99a50593254d1b53002719bbecfc946c84b23d27
 	NOTE: The issue exists due to an overflow check which is not present
 	NOTE: in Wheezy and Jessie. However it makes sense to implement this check.
 	NOTE: This can be done when more important issues are found [wheezy].
+	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-9582
 	RESERVED
 CVE-2016-9581 [infinite loop in tiftoimage resulting into heap buffer overflow in convert_32s_C1P1]

More information about the Secure-testing-commits mailing list