[Secure-testing-commits] r56906 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Sat Oct 21 13:50:59 UTC 2017 

Author: jmm
Date: 2017-10-21 13:50:59 +0000 (Sat, 21 Oct 2017)
New Revision: 56906

Modified:
   data/CVE/list
Log:
investigated some lame issues, more to follow


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-10-21 13:00:56 UTC (rev 56905)
+++ data/CVE/list	2017-10-21 13:50:59 UTC (rev 56906)
@@ -1549,11 +1549,17 @@
 	NOTE: https://github.com/antirez/redis/issues/4278
 	NOTE: Pull request: https://github.com/antirez/redis/pull/4365
 CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow in unpack_read_samples ...)
-	- lame <unfixed>
+	- lame 3.99.5+repack1-8
 	NOTE: https://sourceforge.net/p/lame/bugs/479/
+	NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed
+	NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be
+	NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations
 CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read in fill_buffer in ...)
-	- lame <unfixed>
+	- lame 3.99.5+repack1-8
 	NOTE: https://sourceforge.net/p/lame/bugs/478/
+	NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed
+	NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be
+	NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations
 CVE-2017-15044
 	RESERVED
 CVE-2017-15043
@@ -1673,8 +1679,11 @@
 	- lame <unfixed>
 	NOTE: https://sourceforge.net/p/lame/bugs/477/
 CVE-2017-15018 (LAME 3.99.5 has a heap-based buffer over-read when handling a malformed ...)
-	- lame <unfixed>
+	- lame 3.99.5+repack1-8
 	NOTE: https://sourceforge.net/p/lame/bugs/480/
+	NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed
+	NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be
+	NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations
 CVE-2017-15017 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ...)
 	{DLA-1131-1}
 	- imagemagick <unfixed> (bug #878554)

More information about the Secure-testing-commits mailing list