[Secure-testing-commits] r56908 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Sat Oct 21 16:53:51 UTC 2017 

Author: jmm
Date: 2017-10-21 16:53:51 +0000 (Sat, 21 Oct 2017)
New Revision: 56908

Modified:
   data/CVE/list
Log:
update three additonal lame issues


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-10-21 16:48:23 UTC (rev 56907)
+++ data/CVE/list	2017-10-21 16:53:51 UTC (rev 56908)
@@ -5406,7 +5406,7 @@
 CVE-2017-13713 (T&W WIFI Repeater BE126 allows remote authenticated users to execute ...)
 	NOT-FOR-US: T&W WIFI Repeater BE126
 CVE-2017-13712 (NULL Pointer Dereference in the id3v2AddAudioDuration function in ...)
-	- lame <unfixed>
+	- lame 3.100-1 (low)
 	[stretch] - lame <no-dsa> (Minor issue)
 	[jessie] - lame <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/lame/bugs/472/
@@ -14688,17 +14688,21 @@
 	NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/
 	NOTE: https://sourceforge.net/p/lame/bugs/483/
 CVE-2017-9870 (The III_i_stereo function in layer3.c in mpglib, as used in ...)
-	- lame <unfixed> (bug #867725)
-	[stretch] - lame <no-dsa> (Minor issue)
+	- lame 3.99.5+repack1-8 (bug #867725)
 	[jessie] - lame <no-dsa> (Minor issue)
 	NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/
 	NOTE: https://sourceforge.net/p/lame/bugs/481/
+	NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed
+	NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be
+	NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations
 CVE-2017-9869 (The II_step_one function in layer2.c in mpglib, as used in ...)
-	- lame <unfixed> (bug #867725)
-	[stretch] - lame <no-dsa> (Minor issue)
+	- lame 3.99.5+repack1-8 (bug #867725)
 	[jessie] - lame <no-dsa> (Minor issue)
 	NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/
 	NOTE: https://sourceforge.net/p/lame/bugs/475/
+	NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed
+	NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be
+	NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations
 CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is ...)
 	- mosquitto <unfixed> (bug #865959)
 	[stretch] - mosquitto <no-dsa> (Minor issue)

More information about the Secure-testing-commits mailing list