[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-14988/openexr as unimportant

Salvatore Bonaccorso carnil at debian.org
Thu Nov 8 14:44:13 GMT 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6de06e04 by Salvatore Bonaccorso at 2018-11-08T14:41:59Z
Mark CVE-2017-14988/openexr as unimportant

Analysis of https://github.com/openexr/openexr/issues/248 upstream
indicates this is caused by an improper assumption from ImageMagick and
the security impact is actually negligable at most. Mark as unimportant
and ideally an involved party properly request a REJECT.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -58935,11 +58935,9 @@ CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in .
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/97740ccc177ee264e79091fa573d994eb6b05628
 	NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093
 CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...)
-	- openexr <unfixed> (bug #878551)
-	[stretch] - openexr <no-dsa> (Minor issue)
-	[jessie] - openexr <no-dsa> (Minor issue)
-	[wheezy] - openexr <postponed> (Should be fixed along in future update)
+	- openexr <unfixed> (bug #878551; unimportant)
 	NOTE: https://github.com/openexr/openexr/issues/248
+	NOTE: Issue in the use of openexr via ImageMagick, no real security impact
 CVE-2017-14987
 	RESERVED
 CVE-2017-14986



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6de06e045ca1e5bb4db711f2ad005a6f645a87e0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6de06e045ca1e5bb4db711f2ad005a6f645a87e0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181108/1f40f44c/attachment.html>

More information about the debian-security-tracker-commits mailing list