[Secure-testing-commits] r50173 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Wed Mar 29 16:29:41 UTC 2017


Author: carnil
Date: 2017-03-29 16:29:41 +0000 (Wed, 29 Mar 2017)
New Revision: 50173

Modified:
   data/CVE/list
Log:
Add extensive comment on CVE-2017-7275

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-03-29 15:06:54 UTC (rev 50172)
+++ data/CVE/list	2017-03-29 16:29:41 UTC (rev 50173)
@@ -177,11 +177,15 @@
 CVE-2017-7276
 	RESERVED
 CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allows ...)
-	- imagemagick <undetermined>
+	- imagemagick <unfixed> (unimportant)
 	NOTE: https://blogs.gentoo.org/ago/2017/03/27/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866/
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/271
 	NOTE: Furthermore: upstream is not able to reproduce the problem as well
-	TODO: check (need to check if we are affected by the second incomplete fix as well, do not update prematurely this entry until clear from upstream)
+	NOTE: The problem result in a memory allocation issue when compiled with ASAN
+	NOTE: but unreproducible from unstream. Since no more details can be provided
+	NOTE: and the issue not addressed, treat this as "non-issue" (and thus marked
+	NOTE: unimportant). If in future details can be elaborated by the reporter
+	NOTE: we might re-evaluate this entry.
 CVE-2017-7274 (The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0 ...)
 	- radare2 <not-affected> (Vulnerable parsers introduced in 1.3.0-git, cf. #858873)
 	NOTE: https://github.com/radare/radare2/commit/7ab66cca5bbdf6cb2d69339ef4f513d95e532dbf




More information about the Secure-testing-commits mailing list