[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2017-17783, graphicsmagick: Wheezy is not affected

Sun Jan 7 22:28:42 UTC 2018

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
761f24d8 by Markus Koschany at 2018-01-07T23:21:32+01:00
CVE-2017-17783,graphicsmagick: Wheezy is not affected

Issue is not reproducible with ASAN. The function GetPalmPaletteGivenBits
is not present in Wheezy.

- - - - -
b8efa3dd by Markus Koschany at 2018-01-07T23:26:06+01:00
CVE-2017-17913,graphicsmagick: Wheezy is not affected

webp feature has not been implemented

- - - - -
0147cfaf by Markus Koschany at 2018-01-07T23:28:04+01:00
Reserve DLA-1231-1 for graphicsmagick

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -3834,6 +3834,7 @@ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the fu
 	NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046
 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based ...)
 	- graphicsmagick 1.3.27-3
+	[wheezy] - graphicsmagick <not-affected> (webp feature has not been implemented)
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/
@@ -4343,6 +4344,7 @@ CVE-2017-17783 (In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPA
 	- graphicsmagick 1.3.27-2 (bug #884904)
 	[stretch] - graphicsmagick <no-dsa> (Minor issue, built with QuantumDepth=16)
 	[jessie] - graphicsmagick <no-dsa> (Minor issue)
+	[wheezy] - graphicsmagick <not-affected> (vulnerable code not present, unreproducible with ASAN)
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=60932931559a
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/529/
 CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ...)


=====================================
data/DLA/list
=====================================
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[07 Jan 2018] DLA-1231-1 graphicsmagick - security update
+	{CVE-2017-17498 CVE-2017-17500 CVE-2017-17501 CVE-2017-17502 CVE-2017-17503 CVE-2017-17782 CVE-2017-17912 CVE-2017-17915}
+	[wheezy] - graphicsmagick 1.3.16-1.1+deb7u16
 [04 Jan 2018] DLA-1230-1 xen - security update
 	{CVE-2017-17044 CVE-2017-17045 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566}
 	[wheezy] - xen 4.1.6.lts1-11


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -26,8 +26,6 @@ gdk-pixbuf (Chris Lamb)
 --
 gifsicle (Chris Lamb)
 --
-graphicsmagick (Markus Koschany)
---
 icu
   NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/06f7a42fbb1c6e45cdb3f51ded17fef18d607542...0147cfaf1be3ae3ae4424677aca14da37f559331

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/06f7a42fbb1c6e45cdb3f51ded17fef18d607542...0147cfaf1be3ae3ae4424677aca14da37f559331
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180107/85c1394c/attachment.html>
