[Git][security-tracker-team/security-tracker][master] Expand note for CVE-2018-7263

Salvatore Bonaccorso carnil at debian.org
Tue May 1 04:47:55 BST 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3508be63 by Salvatore Bonaccorso at 2018-05-01T05:44:39+02:00
Expand note for CVE-2018-7263

Back in february 2018, this was tried to be clarified with MITRE.
Basically there are two CVE assignments left, and CVE-2018-7263 not
marked as duplicate of CVE-2017-11552 (but instead used the formulateion
"this might overlap with ...") because tere was no clear proof that they
are exactly the same errors. Futher it was stated "However, if there are
two different code paths by which libmad is used incorrectly, and both
code paths result in "double free or corruption" errors, then we would
represent this with two CVEs."

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -8507,7 +8507,13 @@ CVE-2004-2779 (id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b .
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=162647
 	NOTE: https://sources.debian.org/patches/libid3tag/0.15.1b-13/10_utf16.dpatch/
 CVE-2018-7263 (The mad_decoder_run() function in decoder.c in Underbit libmad through ...)
-	NOTE: Seems like a duplicate of CVE-2017-11552
+	NOTE: Seems like a duplicate of CVE-2017-11552 relates to the issue raised in
+	NOTE: https://bugs.debian.org/870608
+	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1081784
+	NOTE: MITRE stated, that "[...] However, if there are two different code
+	NOTE: paths by which libmad is used incorrectly, and both code paths result
+	NOTE: in "double free or corruption" errors, then we would represent this
+	NOTE: with two CVEs."
 CVE-2018-7262 (In Ceph before 12.2.3 and 13.x through 13.0.1, the rgw_civetweb.cc ...)
 	- ceph <not-affected> (Issue introduced later)
 	NOTE: See details in https://bugs.debian.org/891963#15 . Ceph as present in



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3508be63b51341a257ad4dd6ac446ad0c5675da0

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3508be63b51341a257ad4dd6ac446ad0c5675da0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180501/d2b07c03/attachment.html>

More information about the debian-security-tracker-commits mailing list