[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000041: Add back full reference to the merge leading to fix the issue

Salvatore Bonaccorso carnil at debian.org
Tue Feb 13 20:18:03 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b9783c47 by Salvatore Bonaccorso at 2018-02-13T21:14:01+01:00
CVE-2018-1000041: Add back full reference to the merge leading to fix the issue

Agreed on there is possibly only one relevant change within that series.

Furthermore mark the issue as unimporant with the following reasoning.
Although the code change would apply and be "fixed" with the update to
2.40.20-1, the issue is very specific to leaking information of Windows
username and NTLM password hash via a specially crafted SVG file
containing an UNC path on Windows.

If a issue is very specific to another OS we might have set the entry as
well to <not-affected> (Windows specific issue).

Note for (commit-)reviewers: comment if anybody disagrees on the above
assessment and severity change.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -733,8 +733,9 @@ CVE-2018-1000042 (Security Onion Solutions Squert version 1.3.0 through 1.6.7 co
 	NOT-FOR-US: Security Onion Solutions Squert
 CVE-2018-1000041 (GNOME librsvg version before commit ...)
 	{DLA-1278-1}
-	- librsvg 2.40.20-1
-	NOTE: Fixed by: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0
+	- librsvg 2.40.20-1 (unimportant)
+	NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea
+	NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0
 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...)
 	- linux 4.7.2-1
 	NOTE: Fixed by: https://git.kernel.org/linus/251e22abde21833b3d29577e4d8c7aaccd650eee



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9783c4789db8903b8a1f687bc6f262deb037c06

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9783c4789db8903b8a1f687bc6f262deb037c06
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180213/f3144fb2/attachment.html>

More information about the Secure-testing-commits mailing list