[Secure-testing-commits] r56030 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-09-22 20:19:47 +0000 (Fri, 22 Sep 2017)
New Revision: 56030

Modified:
   data/CVE/list
Log:
Followup on nss issues, update status

Mark the issues as unimportant, negligible impact, needs local access to
the NSS DBM files to be crafted.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-09-22 19:41:14 UTC (rev 56029)
+++ data/CVE/list	2017-09-22 20:19:47 UTC (rev 56030)
@@ -8119,46 +8119,34 @@
 	RESERVED
 CVE-2017-11698 [heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)]
 	RESERVED
-	- nss <unfixed> (bug #873259)
-	[wheezy] - nss <ignored> (Minor issue)
-	NOTE: From the redhat advisory it is possible to conclude that the
-	NOTE: exploit requires specially crafted NSS NDB files and it is very unlikely
-	NOTE: a problem for services or client software using NSS.
-	NOTE: It would be good if someone with actual access to
-	NOTE: the mozilla bug can confirm this so we do not rely on redhat solely.
+	- nss <unfixed> (bug #873259; unimportant)
+	NOTE: Issues triggered by crafted DBM databases, which would
+	NOTE: require local user access to a machine running NSS and
+	NOTE: crafting the local DBM files.
 	NOTE: http://seclists.org/fulldisclosure/2017/Aug/17
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360779
 CVE-2017-11697 [Floating Point Exception in __hash_open (hash.c:229)]
 	RESERVED
-	- nss <unfixed> (bug #873258)
-	[wheezy] - nss <ignored> (Minor issue)
-	NOTE: From the redhat advisory it is possible to conclude that the
-	NOTE: exploit requires specially crafted NSS NDB files and it is very unlikely
-	NOTE: a problem for services or client software using NSS.
-	NOTE: It would be good if someone with actual access to
-	NOTE: the mozilla bug can confirm this so we do not rely on redhat solely.
+	- nss <unfixed> (bug #873258; unimportant)
+	NOTE: Issues triggered by crafted DBM databases, which would
+	NOTE: require local user access to a machine running NSS and
+	NOTE: crafting the local DBM files.
 	NOTE: http://seclists.org/fulldisclosure/2017/Aug/17
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360900
 CVE-2017-11696 [heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)]
 	RESERVED
-	- nss <unfixed> (bug #873257)
-	[wheezy] - nss <ignored> (Minor issue)
-	NOTE: From the redhat advisory it is possible to conclude that the
-	NOTE: exploit requires specially crafted NSS NDB files and it is very unlikely
-	NOTE: a problem for services or client software using NSS.
-	NOTE: It would be good if someone with actual access to
-	NOTE: the mozilla bug can confirm this so we do not rely on redhat solely.
+	- nss <unfixed> (bug #873257; unimportant)
+	NOTE: Issues triggered by crafted DBM databases, which would
+	NOTE: require local user access to a machine running NSS and
+	NOTE: crafting the local DBM files.
 	NOTE: http://seclists.org/fulldisclosure/2017/Aug/17
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360778
 CVE-2017-11695 [heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)]
 	RESERVED
-	- nss <unfixed> (bug #873256)
-	[wheezy] - nss <ignored> (Minor issue)
-	NOTE: From the redhat advisory it is possible to conclude that the
-	NOTE: exploit requires specially crafted NSS NDB files and it is very unlikely
-	NOTE: a problem for services or client software using NSS.
-	NOTE: It would be good if someone with actual access to
-	NOTE: the mozilla bug can confirm this so we do not rely on redhat solely.
+	- nss <unfixed> (bug #873256; unimportant)
+	NOTE: Issues triggered by crafted DBM databases, which would
+	NOTE: require local user access to a machine running NSS and
+	NOTE: crafting the local DBM files.
 	NOTE: http://seclists.org/fulldisclosure/2017/Aug/17
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360782
 CVE-2017-11694 (MEDHOST Document Management System contains hard-coded credentials that ...)