[Secure-testing-commits] r51420 - data/CVE

Ola Lundqvist opal at moszumanska.debian.org
Mon May 8 20:44:40 UTC 2017 

Author: opal
Date: 2017-05-08 20:44:40 +0000 (Mon, 08 May 2017)
New Revision: 51420

Modified:
   data/CVE/list
Log:
Marked quite a few issues as no-dsa for libpodofo.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-05-08 19:35:11 UTC (rev 51419)
+++ data/CVE/list	2017-05-08 20:44:40 UTC (rev 51420)
@@ -141,6 +141,7 @@
 	NOT-FOR-US: Accellion FTA devices
 CVE-2017-8787 (The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in ...)
 	- libpodofo <unfixed> (bug #861738)
+	NOTE: Possible unspecified impact. Needs further analysis.
 CVE-2017-8786 (pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of ...)
 	- pcre2 <unfixed> (unimportant; bug #861873)
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=2079
@@ -1881,11 +1882,19 @@
 	NOT-FOR-US: WatchGuard
 CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 ...)
 	- libpodofo <unfixed> (bug #860995)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/
 	NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC
 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack ...)
 	- libpodofo <unfixed> (bug #860994)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
 	NOTE: http://openwall.com/lists/oss-security/2017/04/22/1
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 CVE-2017-8052 (Craft CMS before 2.6.2974 allows XSS attacks. ...)
 	NOT-FOR-US: Craft CMS
 CVE-2017-8051 (Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a ...)
@@ -3808,18 +3817,34 @@
 	RESERVED
 CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote ...)
 	- libpodofo <unfixed> (bug #859329)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
 	NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4
 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote ...)
 	- libpodofo <unfixed> (bug #859329)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
 	NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3
 CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers ...)
 	- libpodofo <unfixed> (bug #859329)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
 	NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2
 CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers ...)
 	- libpodofo <unfixed> (bug #859329)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
 	NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1
 CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in ...)
@@ -3829,6 +3854,10 @@
 	NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/
 CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo ...)
 	- libpodofo <unfixed> (bug #859330)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1
 CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...)
 	- qemu 1:2.8+dfsg-4 (bug #859854)
@@ -6537,22 +6566,42 @@
 	NOT-FOR-US: EvoStream Media Server
 CVE-2017-6849 (The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in ...)
 	- libpodofo <unfixed> (bug #861566)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp
 CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in ...)
 	- libpodofo <unfixed> (bug #861565)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/9
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp
 CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...)
 	- libpodofo <unfixed> (bug #861564)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/8
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h
 CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace ...)
 	- libpodofo <unfixed> (bug #861563)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/
 CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo ...)
 	- libpodofo <unfixed> (bug #861562)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp
 CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...)
@@ -6567,14 +6616,26 @@
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h
 CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...)
 	- libpodofo <unfixed> (bug #861559)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/3
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp
 CVE-2017-6841 (The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement ...)
 	- libpodofo <unfixed> (bug #861558)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/2
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h
 CVE-2017-6840 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...)
 	- libpodofo <unfixed> (bug #861557)
+	[wheezy] - libpodofo <no-dsa> (Minor issue)
+	NOTE: The motivation for no-dsa in wheezy is that there are no known
+	NOTE: services that use this library (apart from desktop applications)
+	NOTE: and the worst case is a DoS.
 	NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/1
 	NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp
 CVE-2017-6426

More information about the Secure-testing-commits mailing list