[Secure-testing-commits] r49974 - in data: . CVE

Ola Lundqvist opal at moszumanska.debian.org
Thu Mar 23 19:14:13 UTC 2017 

Author: opal
Date: 2017-03-23 19:14:13 +0000 (Thu, 23 Mar 2017)
New Revision: 49974

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triaging for libvpx.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-03-23 18:42:41 UTC (rev 49973)
+++ data/CVE/list	2017-03-23 19:14:13 UTC (rev 49974)
@@ -17457,6 +17457,8 @@
 CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could ...)
 	- libvpx 1.6.1-1
 	NOTE: probably fixed earlier, but this was the version checked
+	NOTE: The wheezy source is confirmed (by code inspection) to be vulnerable.
+	NOTE: https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc
 CVE-2017-0392 (A denial of service vulnerability in VBRISeeker.cpp in libstagefright ...)
 	NOT-FOR-US: libstagefright
 CVE-2017-0391 (A denial of service vulnerability in decoder/ihevcd_decode.c in ...)
@@ -27341,10 +27343,13 @@
 	NOT-FOR-US: Android Mediaserver
 CVE-2016-6712 (A remote denial of service vulnerability in libvpx in Mediaserver in ...)
 	- libvpx 1.6.1-1
+	[wheezy] - libvpx <not-affected> (Vulnerable code not present)
 	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-6711 (A remote denial of service vulnerability in libvpx in Mediaserver in ...)
 	- libvpx 1.6.1-1
 	NOTE: probably fixed earlier, but this was the version checked
+	NOTE: Wheezy is confirmed (by code inspection) to have vulnerable source.
+	NOTE: https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693
 CVE-2016-6710 (An information disclosure vulnerability in the download manager in ...)
 	NOT-FOR-US: Android
 CVE-2016-6709 (An information disclosure vulnerability in Conscrypt and BoringSSL in ...)
@@ -37368,6 +37373,7 @@
 	NOT-FOR-US: Android
 CVE-2016-3881 (The decoder_peek_si_internal function in vp9/vp9_dx_iface.c in libvpx ...)
 	- libvpx 1.6.1-1
+	[wheezy] - libvpx <not-affected> (Vulnerable source not present)
 	NOTE: probably fixed earlier, but this was the version checked
 CVE-2016-3880 (Multiple buffer overflows in rtsp/ASessionDescription.cpp in ...)
 	NOT-FOR-US: libstagefright
@@ -41470,8 +41476,7 @@
 CVE-2016-2465 (The Qualcomm video driver in Android before 2016-06-01 on Nexus 5, 5X, ...)
 	NOT-FOR-US: Qualcomm driver for Android
 CVE-2016-2464 (libvpx in libwebm in mediaserver in Android 4.x before 4.4.4, 5.0.x ...)
-	- libvpx 1.6.1-1
-	NOTE: probably fixed earlier, but this was the version checked
+	- libvpx <not-affected> (Vulnerable source not present)
 CVE-2016-2463 (Multiple integer overflows in the h264dec component in libstagefright ...)
 	NOT-FOR-US: libstagefright
 CVE-2016-2462 (OpenSSLCipher.java in Conscrypt in Android 6.x before 2016-05-01 ...)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-03-23 18:42:41 UTC (rev 49973)
+++ data/dla-needed.txt	2017-03-23 19:14:13 UTC (rev 49974)
@@ -75,6 +75,9 @@
 libreoffice (Emilio Pozuelo)
   NOTE: Rene (maintainer) is working on the patch since the proposed one seems to be incomplete
 --
+libvpx
+  NOTE: The CVEs needs further triaging.
+--
 libxml-twig-perl
   NOTE: no upstream fix yet (as of 2017-02-28) for expand_external_ents
   NOTE: but new no_xxe flag in 3.50 that could be backported

More information about the Secure-testing-commits mailing list