[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update status for CVE-2018-7440 and CVE-2018-3836

Salvatore Bonaccorso carnil at debian.org
Fri Mar 2 19:24:30 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f6dd99b0 by Salvatore Bonaccorso at 2018-03-02T20:24:16+01:00
Update status for CVE-2018-7440 and CVE-2018-3836

Since the incomplete fix for CVE-2018-3836 was not applied to stretch
and jessie, mark those versions as not affected (with explanation). Add
a note to CVE-2018-3836 to make sure the issue is completely fixed
if/once it's adressed for stretch and jessie.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -9854,6 +9854,8 @@ CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing dup
 	- leptonlib 1.74.4-2 (bug #885704)
 CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...)
 	- leptonlib <unfixed> (bug #891932)
+	[stretch] - leptonlib <not-affected> (Incomplete fix for CVE-2018-3836 not applied)
+	[jessie] - leptonlib <not-affected> (Incomplete fix for CVE-2018-3836 not applied)
 	NOTE: https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212
 	NOTE: https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
 CVE-2018-3836 [gplotMakeOutput Command Injection Vulnerability]
@@ -9862,6 +9864,9 @@ CVE-2018-3836 [gplotMakeOutput Command Injection Vulnerability]
 	- leptonlib 1.75.3-1 (bug #889759)
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
 	NOTE: https://github.com/DanBloomberg/leptonica/issues/303
+	NOTE: When fixing this issue make sure the fix is complete and includes as well
+	NOTE: https://github.com/DanBloomberg/leptonica/pull/313/commits/49ecb6c2dfd6ed5078c62f4a8eeff03e3beced3b
+	NOTE: to not open CVE-2018-7440.
 CVE-2018-3835 (An exploitable out of bounds write vulnerability exists in version 2.2 ...)
 	NOT-FOR-US: Per Face Texture (PTEX)
 CVE-2018-3834



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6dd99b0c59554e0f0a8073f6bb13b1903897810

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6dd99b0c59554e0f0a8073f6bb13b1903897810
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180302/abf4ff57/attachment-0001.html>

More information about the Secure-testing-commits mailing list