[Secure-testing-commits] r49646 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Mon Mar 13 18:38:52 UTC 2017 

Author: jmm
Date: 2017-03-13 18:38:52 +0000 (Mon, 13 Mar 2017)
New Revision: 49646

Modified:
   data/CVE/list
Log:
jasper triage
several gstreamer 0.10 no-dsa
NFUs


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-03-13 16:31:08 UTC (rev 49645)
+++ data/CVE/list	2017-03-13 18:38:52 UTC (rev 49646)
@@ -54,10 +54,14 @@
 	RESERVED
 	- jasper <removed>
 	NOTE: http://www.openwall.com/lists/oss-security/2016/11/04/11
+	NOTE: https://github.com/mdadams/jasper/commit/1f0dfe5a42911b6880a1445f13f6d615ddb55387
+	NOTE: https://github.com/asarubbo/poc/blob/master/00029-jasper-uninitvalue-jpc_pi_nextcprl
 CVE-2016-10248 [NULL pointer dereference in jpc_tsfb_synthesize (jpc_tsfb.c)]
 	RESERVED
-	- jasper <removed>
+	- jasper <removed> (unimportant)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/10/20/5
+	NOTE: Not suitable for code injection, hardly denial of service
+	NOTE: https://github.com/mdadams/jasper/commit/2e82fa00466ae525339754bb3ab0a0474a31d4bd
 CVE-2016-10247
 	RESERVED
 	- mupdf <unfixed> (unimportant)
@@ -3027,6 +3031,7 @@
 	{DLA-829-1}
 	- gst-plugins-ugly1.0 1.10.4-1 (low)
 	- gst-plugins-ugly0.10 <unfixed> (low)
+	[jessie] - gst-plugins-ugly0.10 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777955
 	NOTE: https://github.com/GStreamer/gst-plugins-ugly/commit/d21017b52a585f145e8d62781bcc1c5fefc7ee37
@@ -3034,6 +3039,7 @@
 	{DLA-829-1}
 	- gst-plugins-ugly1.0 1.10.3-1 (low)
 	- gst-plugins-ugly0.10 <unfixed> (low)
+	[jessie] - gst-plugins-ugly0.10 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777937
 CVE-2017-5845 (The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in ...)
@@ -3068,6 +3074,7 @@
 	{DLA-828-1}
 	- gst-plugins-good1.0 1.10.3-1 (low)
 	- gst-plugins-good0.10 <unfixed> (low)
+	[jessie] - gst-plugins-good0.10 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777469
 CVE-2017-5839 (The gst_riff_create_audio_caps function in ...)
@@ -3084,6 +3091,7 @@
 	{DLA-827-1}
 	- gst-plugins-base1.0 1.10.3-1 (low)
 	- gst-plugins-base0.10 <unfixed> (low)
+	[jessie] - gst-plugins-base0.10 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777262
 CVE-2016-10199 (The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in ...)
@@ -3095,6 +3103,7 @@
 	{DLA-828-1}
 	- gst-plugins-good1.0 1.10.3-1 (low)
 	- gst-plugins-good0.10 <unfixed> (low)
+	[jessie] - gst-plugins-good0.10 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/02/01/7
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775450
 CVE-2016-XXXX [iio-sensor-proxy: insecure dbus policy]
@@ -16266,9 +16275,9 @@
 CVE-2017-0479 (An elevation of privilege vulnerability in Audioserver could enable a ...)
 	NOT-FOR-US: Android Audioserver
 CVE-2017-0478 (A remote code execution vulnerability in the Framesequence library ...)
-	TODO: check
+	NOT-FOR-US: Framesequence library
 CVE-2017-0477 (A remote code execution vulnerability in libgdx could enable an ...)
-	TODO: check
+	NOT-FOR-US: libgdx
 CVE-2017-0476 (A remote code execution vulnerability in AOSP Messaging could enable ...)
 	NOT-FOR-US: Android
 CVE-2017-0475 (An elevation of privilege vulnerability in the recovery verifier could ...)
@@ -33238,15 +33247,15 @@
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg04027.html
 	NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=e351b82611293683c4cabe4b69b7552bde5d4e2a (v2.6.0-rc0)
 CVE-2016-4950 (Cloudera Manager 5.5 and earlier allows remote attackers to enumerate ...)
-	TODO: check
+	NOT-FOR-US: Cloudera Manager
 CVE-2016-4949 (Cloudera Manager 5.5 and earlier allows remote attackers to obtain ...)
-	TODO: check
+	NOT-FOR-US: Cloudera Manager
 CVE-2016-4948 (Multiple cross-site scripting (XSS) vulnerabilities in Cloudera ...)
-	TODO: check
+	NOT-FOR-US: Cloudera Manager
 CVE-2016-4947 (Cloudera HUE 3.9.0 and earlier allows remote attackers to enumerate ...)
-	TODO: check
+	NOT-FOR-US: Cloudera HUE
 CVE-2016-4946 (Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE ...)
-	TODO: check
+	NOT-FOR-US: Cloudera HUE
 CVE-2016-4945 (Cross-site scripting (XSS) vulnerability in ...)
 	NOT-FOR-US: Citrix NetScaler Gateway
 CVE-2015-8880 (Double free vulnerability in the format printer in PHP 7.x before ...)

More information about the Secure-testing-commits mailing list