[Git][security-tracker-team/security-tracker][master] 2 commits: Spice in wheezy is affected. The question is whether it is worth fixing in wheezy or not.

Ola Lundqvist opal at debian.org
Sat May 12 19:28:19 BST 2018 

Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
75cccfc3 by Ola Lundqvist at 2018-05-12T20:16:39+02:00
Spice in wheezy is affected. The question is whether it is worth fixing in wheezy or not.

- - - - -
d5f58df1 by Ola Lundqvist at 2018-05-12T20:27:50+02:00
Decided to ignore blender vulnerability as the advice is that not even oldstable will be fixed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -45034,8 +45034,8 @@ CVE-2017-12195
 	RESERVED
 	NOT-FOR-US: OpenShift
 CVE-2017-12194 (A flaw was found in the way spice-client processed certain messages ...)
-	- spice-gtk <undetermined>
-	- spice <undetermined>
+	- spice-gtk 0.12
+	- spice 0.11
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1240165
 	TODO: check for details
 CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array.c ...)
@@ -45387,30 +45387,37 @@ CVE-2017-12106 (A memory corruption vulnerability exists in the .TGA parsing ...
 	NOT-FOR-US: Computerinsel Photoline
 CVE-2017-12105 (An exploitable integer overflow exists in the way that the Blender ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0457
 CVE-2017-12104 (An exploitable integer overflow exists in the way that the Blender ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0456
 CVE-2017-12103 (An exploitable integer overflow exists in the way that the Blender ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0455
 CVE-2017-12102 (An exploitable integer overflow exists in the way that the Blender ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0454
 CVE-2017-12101 (An exploitable integer overflow exists in the ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0453
 CVE-2017-12100 (An exploitable integer overflow exists in the 'multires_load_old_dm' ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0452
 CVE-2017-12099 (An exploitable integer overflow exists in the upgrade of the legacy ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0451
 CVE-2017-12098 (An exploitable cross site scripting (XSS) vulnerability exists in the ...)
@@ -45443,6 +45450,7 @@ CVE-2017-12087 (An exploitable heap overflow vulnerability exists in the tinysvc
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668
 CVE-2017-12086 (An exploitable integer overflow exists in the ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0438
 CVE-2017-12085 (An exploitable routing vulnerability exists in the Circle with Disney ...)
@@ -45453,10 +45461,12 @@ CVE-2017-12083 (An exploitable information disclosure vulnerability exists in th
 	NOT-FOR-US: Circle with Disney
 CVE-2017-12082 (An exploitable integer overflow exists in the 'CustomData' Mesh ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0434
 CVE-2017-12081 (An exploitable integer overflow exists in the upgrade of a legacy Mesh ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0433
 CVE-2017-12080 (An information exposure vulnerability in default HTTP configuration ...)
@@ -73984,6 +73994,7 @@ CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists i
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
 CVE-2017-2918 (An exploitable integer overflow exists in the Image loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: :https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0425
 CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...)
@@ -74009,43 +74020,53 @@ CVE-2017-2909 (An infinite loop programming error exists in the DNS server ...)
 	[wheezy] - smplayer <not-affected> (Vulnerable code not present)
 CVE-2017-2908 (An exploitable integer overflow exists in the thumbnail functionality ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/07aed404cfb2759f97c60b9f64d8a9392dabaf1a
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0415
 CVE-2017-2907 (An exploitable integer overflow exists in the animation playing ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0414
 CVE-2017-2906 (An exploitable integer overflow exists in the animation playing ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0413
 CVE-2017-2905 (An exploitable integer overflow exists in the bmp loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0412
 CVE-2017-2904 (An exploitable integer overflow exists in the RADIANCE loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0411
 CVE-2017-2903 (An exploitable integer overflow exists in the DPX loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0410
 CVE-2017-2902 (An exploitable integer overflow exists in the DPX loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0409
 CVE-2017-2901 (An exploitable integer overflow exists in the IRIS loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/829916f4e57a2d1580ff3b625f6bb909b9144a20
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0408
 CVE-2017-2900 (An exploitable integer overflow exists in the PNG loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0407
 CVE-2017-2899 (An exploitable integer overflow exists in the TIFF loading ...)
 	- blender 2.79.a+dfsg0-1
+	[wheezy] - blender <ignored> (Vulnerable but not ignored)
 	NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0406
 CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of ...)


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -12,12 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 --
 apache2 (Roberto C. Sánchez)
 --
-blender
-  NOTE: 20180511: The question is whether it is worth the effort to fix the problem. The package is
-  NOTE: 20180511: clearly vulnerable and the vulnerability is rather severe (code execution) but
-  NOTE: 20180511: the likelihood of possible exploit in practice is quite small. Sent a mail to the
-  NOTE: 20180511: whole team for advice. (ola)
---
 cups (Thorsten Alteholz)
   NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdc64bc24d551893bd225f4aaafd97930dc03019...d5f58df10def62fac2bb69ed9465da2964a07d80

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdc64bc24d551893bd225f4aaafd97930dc03019...d5f58df10def62fac2bb69ed9465da2964a07d80
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180512/eca65f82/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list