[Secure-testing-commits] r48631 - in data: . CVE

Balint Reczey rbalint at moszumanska.debian.org
Tue Jan 31 20:46:30 UTC 2017 

Author: rbalint
Date: 2017-01-31 20:46:30 +0000 (Tue, 31 Jan 2017)
New Revision: 48631

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
wavpack's issues don't affect wheezy

The first part of the upstream patch is not needed since the
code is very different and not vulnerable.
The second part applies, but does not make any difference when
trying the exploits. Tested with valgrind on Wheezy.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-01-31 20:10:36 UTC (rev 48630)
+++ data/CVE/list	2017-01-31 20:46:30 UTC (rev 48631)
@@ -260,16 +260,19 @@
 CVE-2016-10171 [heap out of bounds read in unreorder_channels / wvunpack.c]
 	RESERVED
 	- wavpack 5.0.0-2 (bug #853076)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present)
 	NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561939/
 	NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0)
 CVE-2016-10170 [heap out of bounds read in WriteCaffHeader / caff.c]
 	RESERVED
 	- wavpack 5.0.0-2 (bug #853076)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present)
 	NOTE: https://sourceforge.net/p/wavpack/mailman/message/35561921/
 	NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0)
 CVE-2016-10169 [global buffer overread in read_code / read_words.c]
 	RESERVED
 	- wavpack 5.0.0-2 (bug #853076)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present)
 	NOTE: https://sourceforge.net/p/wavpack/mailman/message/35557889/
 	NOTE: Fixed by: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc (5.1.0)
 CVE-2016-10166 [Fix potential unsigned underflow]

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-01-31 20:10:36 UTC (rev 48630)
+++ data/dla-needed.txt	2017-01-31 20:46:30 UTC (rev 48631)
@@ -101,11 +101,6 @@
 --
 svgsalamander
 --
-wavpack (Balint Reczey)
-  NOTE: the provided testcases don't crash but this hunk
-  NOTE: https://github.com/dbry/WavPack/commit/4bc05fc490b66ef2d45b1de26abf1455b486b0dc#diff-bc1807cb462afb05056502f77834c6ebR291
-  NOTE: is missing in the wheezy version
---
 wordpress (Markus Koschany)
 --
 xen

More information about the Secure-testing-commits mailing list