[Git][security-tracker-team/security-tracker][master] 11 commits: CVE-2018-18828,libav: Jessie is not affected.

Tue Dec 11 20:59:08 GMT 2018

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f2560db6 by Markus Koschany at 2018-12-11T20:58:32Z
CVE-2018-18828,libav: Jessie is not affected.

- - - - -
dd9268e4 by Markus Koschany at 2018-12-11T20:58:33Z
CVE-2018-18827,CVE-2018-18826,libav: Jessie is not affected

Vulnerable code does not exist (vc1_block.c). Errors are handled gracefully.

- - - - -
d8d2fa32 by Markus Koschany at 2018-12-11T20:58:33Z
CVE-2018-14395,libav: Jessie is not affected

Only version 2 is supported

- - - - -
e8d41124 by Markus Koschany at 2018-12-11T20:58:34Z
CVE-2018-14394,libav: Jessie is affected

- - - - -
9c9c0dff by Markus Koschany at 2018-12-11T20:58:35Z
CVE-2018-13305,libav: Jessie is not affected

- - - - -
e5618305 by Markus Koschany at 2018-12-11T20:58:35Z
CVE-2018-13304,libav: Jessie is not affected

- - - - -
10d75f90 by Markus Koschany at 2018-12-11T20:58:36Z
CVE-2018-13303,libav: Jessie is not affected

- - - - -
d7a08699 by Markus Koschany at 2018-12-11T20:58:37Z
CVE-2018-13302,libav: Jessie is not affected

- - - - -
d97f5003 by Markus Koschany at 2018-12-11T20:58:37Z
CVE-2018-13301,libav: Jessie is likely not affected. We need the reproducer to

confirm this assumption.

- - - - -
28bdc50c by Markus Koschany at 2018-12-11T20:58:38Z
CVE-2018-13300,libav: Jessie is not affected

- - - - -
72f6e8ad by Markus Koschany at 2018-12-11T20:58:39Z
CVE-2018-11102,libav: Remove no-dsa tag.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7657,12 +7657,15 @@ CVE-2018-18829 (There exists a NULL pointer dereference in ...)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1136
 CVE-2018-18828 (There exists a heap-based buffer overflow in vc1_decode_i_block_adv in ...)
 	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135
 CVE-2018-18827 (There exists a heap-based buffer over-read in ff_vc1_pred_dc in ...)
 	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135
 CVE-2018-18826 (There exists a heap-based buffer overflow in vc1_decode_p_mb_intfi in ...)
 	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135
 CVE-2018-18825 (Pagoda Linux panel V6.0 has XSS via the verification code associated ...)
 	NOT-FOR-US: Pagoda Linux panel
@@ -18978,12 +18981,13 @@ CVE-2018-14396 (An issue was discovered in Creme CRM 1.6.12. The salesman creati
 CVE-2018-14395 (libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a ...)
 	{DSA-4258-1}
 	- ffmpeg 7:4.0.2-1
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (only version 2 is supported)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582
 CVE-2018-14394 (libavformat/movenc.c in FFmpeg before 4.0.2 allows attackers to cause a ...)
 	{DSA-4249-1}
 	- ffmpeg 7:4.0.2-1
-	- libav <undetermined>
+	- libav <removed>
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/3a2d21bc5f97aa0161db3ae731fc2732be6108b8
 CVE-2018-14393
 	RESERVED
@@ -21535,34 +21539,40 @@ CVE-2018-13306 (System command injection in formDlna in TOTOLINK A3002RU version
 	NOT-FOR-US: TOTOLINK
 CVE-2018-13305 (In FFmpeg 4.0.1, due to a missing check for negative values of the ...)
 	- ffmpeg <not-affected> (Vulnerable code not present)
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/d08d4a8c7387e758d439b0592782e4cfa2b4d6a4
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/d08d4a8c7387e758d439b0592782e4cfa2b4d6a4#commitcomment-30094223
 CVE-2018-13304 (In libavcodec in FFmpeg 4.0.1, improper maintenance of the consistency ...)
 	- ffmpeg 7:4.0.2-1
 	[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/bd27a9364ca274ca97f1df6d984e88a0700fb235
 CVE-2018-13303 (In FFmpeg 4.0.1, a missing check for failure of a call to ...)
 	- ffmpeg 7:4.0.2-1
 	[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/00e8181bd97c834fe60751b0c511d4bb97875f78
 CVE-2018-13302 (In FFmpeg 4.0.1, improper handling of frame types (other than ...)
 	{DSA-4249-1}
 	- ffmpeg 7:3.4.3-1
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/ed22dc22216f74c75ee7901f82649e1ff725ba50
 	NOTE: Fixed in 3.2.11
 CVE-2018-13301 (In FFmpeg 4.0.1, due to a missing check of a profile value before ...)
 	- ffmpeg 7:4.0.2-1 (low)
 	[stretch] - ffmpeg <not-affected> (3.2.x not affected)
-	- libav <undetermined>
+	- libav <removed>
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/2aa9047486dbff12d9e040f917e5f799ed2fd78b
+	NOTE: It looks like Jessie is not affected but we need the reproducer to confirm this assumption.
 CVE-2018-13300 (In FFmpeg 4.0.1, an improper argument (AVCodecParameters) passed to the ...)
 	{DSA-4249-1}
 	- ffmpeg 7:3.4.3-1
-	- libav <undetermined>
+	- libav <removed>
+	[jessie] - libav <not-affected> (vulnerable code is not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/95556e27e2c1d56d9e18f5db34d6f756f3011148
 	NOTE: Fixed in 3.2.11
 CVE-2018-13299
@@ -27568,7 +27578,6 @@ CVE-2018-11103
 	RESERVED
 CVE-2018-11102 (An issue was discovered in Libav 12.3. A read access violation in the ...)
 	- libav <removed> (low)
-	[jessie] - libav <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1128
 CVE-2018-11101 (Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via ...)
 	- signal-desktop <itp> (bug #842943)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/47c6dbd0e540d073e222d95c6fee3abc7372ef22...72f6e8ad8112c378aa0cf078d2b8881c8a833269

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/47c6dbd0e540d073e222d95c6fee3abc7372ef22...72f6e8ad8112c378aa0cf078d2b8881c8a833269
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181211/651f4e13/attachment-0001.html>
