[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference patches for CVE-2017-837{2, 3, 4}

Salvatore Bonaccorso carnil at debian.org
Sun Feb 11 09:42:10 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7c213386 by Salvatore Bonaccorso at 2018-02-11T10:40:21+01:00
Reference patches for CVE-2017-837{2,3,4}

Unfortunately libmad does not have a VCS yet were it is maintained, so
need to reference the patches as they were added in the respective
source package.

libmad-0.15.1b/debian/patches/length-check.patch adresses CVE-2017-8374,
whereas libmad-0.15.1b/debian/patches/md_size.diff adresses
CVE-2017-8372 and CVE-2017-8373.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -44312,17 +44312,19 @@ CVE-2017-8374 (The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b
 	- libmad 0.15.1b-9
 	NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_bit_skip-bit-c/
 	NOTE: The patch from #508133 fixed things related to this, but did not fix this.
+	NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/length-check.patch
 CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b ...)
 	- libmad 0.15.1b-9 (bug #287519)
 	NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/
 	NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it
 	NOTE: "Duplicate with"/basically same as CVE-2017-8372
-	NOTE: Is this related to CVE-2016-2541?
+	NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/md_size.diff
 CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...)
 	- libmad 0.15.1b-9 (bug #287519)
 	NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/
 	NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it
 	NOTE: "Duplicate" with/basically same as CVE-2017-8373
+	NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/md_size.diff
 CVE-2017-8371 (Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses ...)
 	NOT-FOR-US: Schneider Electric
 CVE-2017-8370 (IrfanView version 4.44 (32bit) with FPX Plugin 4.45 allows remote ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c213386ce5f5603e66c0b97c94e366939da8821

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c213386ce5f5603e66c0b97c94e366939da8821
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180211/4a733c48/attachment-0001.html>

More information about the Secure-testing-commits mailing list