[Secure-testing-commits] r55514 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-09-06 19:16:27 +0000 (Wed, 06 Sep 2017)
New Revision: 55514

Modified:
   data/CVE/list
Log:
Add CVE-2017-14164/openjpeg2

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-09-06 19:14:19 UTC (rev 55513)
+++ data/CVE/list	2017-09-06 19:16:27 UTC (rev 55514)
@@ -31,11 +31,17 @@
 	RESERVED
 CVE-2017-14153
 	RESERVED
+CVE-2017-14164 [incomplete fix for CVE-2017-14152]
+	- openjpeg2 <not-affected> (Incomplete fix for CVE-2017-14152 not applied)
 CVE-2017-14152 (A mishandled zero case was discovered in opj_j2k_set_cinema_parameters ...)
 	- openjpeg2 <unfixed> (bug #874431)
 	NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c/
 	NOTE: https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154
 	NOTE: https://github.com/uclouvain/openjpeg/issues/985
+	NOTE: When fixing this issue make sure to apply the complete fix including the following
+	NOTE: commit:
+	NOTE: https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a
+	NOTE: to not make openjpeg2 vulnerable to CVE-2017-14164.
 CVE-2017-14151 (An off-by-one error was discovered in ...)
 	- openjpeg2 <unfixed> (bug #874430)
 	NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/