[Git][security-tracker-team/security-tracker][master] 2 commits: [ libav LTS triaging] data/CVE/list: libav in jessie is affected by…

Fri Dec 14 23:57:39 GMT 2018

Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c23bea19 by Mike Gabriel at 2018-12-14T22:29:23Z
[ libav LTS triaging] data/CVE/list: libav in jessie is affected by CVE-2014-9317. The code is just at another location (in decode_frame()).

- - - - -
6f39f8d7 by Mike Gabriel at 2018-12-14T23:56:28Z
[libav LTS triaging] document libav fixup status for CVEs from 2014-2016

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -144844,6 +144844,7 @@ CVE-2015-8219 (The init_tile function in libavcodec/jpeg2000dec.c in FFmpeg befo
 	- ffmpeg 7:2.8.2-1
 	[squeeze] - ffmpeg <not-affected> (Vulnerable code not present)
 	- libav <removed>
+	[jessie] - libav <not-affected> (Vulnerable code not present)
 	[wheezy] - libav <not-affected> (Vulnerable code not present)
 	NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commit;h=43492ff3ab68a343c1264801baa1d5a02de10167
 CVE-2015-8218 (The decode_uncompressed function in libavcodec/faxcompr.c in FFmpeg ...)
@@ -169185,7 +169186,7 @@ CVE-2014-9318 (The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2
 	[squeeze] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=1d3a3b9f8907625b361420d48fe05716859620ff
 CVE-2014-9317 (The decode_ihdr_chunk function in libavcodec/pngdec.c in FFMpeg before ...)
-	- libav <not-affected> (Vulnerable code not present)
+	- libav <removed>
 	- ffmpeg 2.4.4-1
 	[squeeze] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: ffmpeg: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=79ceaf827be0b070675d4cd0a55c3386542defd8


=====================================
data/dla-needed.txt
=====================================
@@ -54,18 +54,17 @@ libav (Markus Koschany, Mike Gabriel)
   NOTE: 20181129: "undetermined" issues. Then we can decide what CVE should be fixed ASAP.
   NOTE: 20181130: Adding my self as co-worker. Coordination of CVEs to be worked on: IRC
   NOTE: 20181130: #debian-lts.
-  NOTE: 20181130: CVE-2015-6761: patch available, issue non-reproducible, vulnerable (maybe: not-affected instead)
-  NOTE: 20181130: CVE-2015-6818: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6820: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6821: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6822: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6823: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6824: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6825: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-6826: patch available, issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-8216: patch available (does not apply cleanly), issue untested (no PoC), vulnerable
-  NOTE: 20181130: CVE-2015-8217: similar patch applied, issue untested, not-affected (@apo: please double-check)
-  NOTE: 20181130: CVE-2015-8219: patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6761 (fixed): patch available, issue non-reproducible, vulnerable (maybe: not-affected instead)
+  NOTE: 20181130: CVE-2015-6818 (fixed): patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6820 (fixed): patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6821 (fixed): patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6822 (fixed): patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6823 (fixed): same patch as for CVE-2015-6822, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6824 (fixed): same patch as for CVE-2015-6822, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6825 (fixed): patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-6826 (fixed): patch available, issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-8216 (fixed): patch available (does not apply cleanly), issue untested (no PoC), vulnerable
+  NOTE: 20181130: CVE-2015-8217 (fixed): similar patch applied, issue untested, not-affected (@apo: please double-check)
   NOTE: 20181130: CVE-2015-8363: patch available, issue untested (no PoC), vulnerable
   NOTE: 20181130: CVE-2015-8364: patch available, issue untested (no PoC), vulnerable
   NOTE: 20181130: CVE-2015-8661: patch available, issue untested (no PoC), vulnerable
@@ -82,6 +81,7 @@ libav (Markus Koschany, Mike Gabriel)
   NOTE: 20181206: CVE-2016-9824: no patch available, PoC available (needs testing), currently <no-dsa>
   NOTE: 20181206: CVE-2016-9825: no patch available, PoC available (needs testing), currently <ignored>
   NOTE: 20181206: CVE-2016-9826: no patch available, PoC available (needs testing), currently <ignored>
+  NOTE: 20181214: CVE-2014-9317 (fixed): patch available, issue untested (no PoC), vulnerable
 --
 libsndfile (Hugo Lefeuvre)
   NOTE: 20181214: waiting for upstream to approve my patches before upload



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7ace6f0f01dd566205f39cc8865288e3a1647562...6f39f8d719b9fd36ebb8bd7ca576e094898fba46

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7ace6f0f01dd566205f39cc8865288e3a1647562...6f39f8d719b9fd36ebb8bd7ca576e094898fba46
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181214/720b97b0/attachment-0001.html>
