[Secure-testing-commits] r57514 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Thu Nov 9 21:11:15 UTC 2017
Author: carnil
Date: 2017-11-09 21:11:15 +0000 (Thu, 09 Nov 2017)
New Revision: 57514
Modified:
data/CVE/list
Log:
Update CVE-2017-14687: mark as no-dsa
Reasoning: The issue was not directly triggerable with the provided poc.
Non-tags in tag name comparisons were handled by using fz_xml_is_tag
instead of the fz_xml_tag && !strcmp idioms, which are found in several
places in related code.
It's not entirely clear if the vulerable code is not present e.g. back
in 1.5-1+deb8u2 since the reporter did not provide pocs publicly and the
description from https://bugs.ghostscript.com/show_bug.cgi?id=698558 is
unhelpful.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-11-09 21:10:15 UTC (rev 57513)
+++ data/CVE/list 2017-11-09 21:11:15 UTC (rev 57514)
@@ -5625,9 +5625,10 @@
CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or ...)
{DSA-4006-1 DLA-1164-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
- [jessie] - mupdf <not-affected> (poc not effective)
+ [jessie] - mupdf <no-dsa> (Minor issue)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558
NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
+ NOTE: Several fz_xml_tag && !strcmp idoms are used in older versions
CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
More information about the Secure-testing-commits
mailing list