[Secure-testing-commits] r51890 - in data: . CVE
Emilio Pozuelo Monfort
pochu at moszumanska.debian.org
Tue May 23 17:50:24 UTC 2017
Author: pochu
Date: 2017-05-23 17:50:23 +0000 (Tue, 23 May 2017)
New Revision: 51890
Modified:
data/CVE/list
data/dla-needed.txt
Log:
lrzip no-dsa on wheezy
no arbitrary code execution, just a possible application crash / dos
like with the other lrzip recent cves
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-05-23 17:24:06 UTC (rev 51889)
+++ data/CVE/list 2017-05-23 17:50:23 UTC (rev 51890)
@@ -924,10 +924,12 @@
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/
CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in ...)
- lrzip <unfixed> (bug #863151)
+ [wheezy] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/68
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/
CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows ...)
- lrzip <unfixed> (bug #863153)
+ [wheezy] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/70
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/
CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 ...)
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-05-23 17:24:06 UTC (rev 51889)
+++ data/dla-needed.txt 2017-05-23 17:50:23 UTC (rev 51890)
@@ -71,8 +71,6 @@
--
linux
--
-lrzip
---
lzo2
NOTE: 20170520, no patch available yet
NOTE: Maintainer has told us to go ahead and fix it.
More information about the Secure-testing-commits
mailing list