[Git][security-tracker-team/security-tracker][master] data/CVE: update openjpeg2 cve notes

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
37127a30 by Hugo Lefeuvre at 2018-11-19T16:52:40Z
data/CVE: update openjpeg2 cve notes

Reference my patches for CVE-2017-17480 and CVE-2018-18088.

CVE-2018-5785 is actually not affecting Jessie, support for this BMP
version was added later.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3436,6 +3436,7 @@ CVE-2018-18088 (OpenJPEG 2.3.0 has a NULL pointer dereference for "red&quot
 	- openjpeg2 <unfixed> (low; bug #910763)
 	[stretch] - openjpeg2 <ignored> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1152
+	NOTE: https://github.com/uclouvain/openjpeg/commit/cab352e249ed3372dd9355c85e837613fff98fa2
 CVE-2018-18087 (The Bixie Portfolio plugin 1.2.0 for Pagekit has XSS: a logged-in user ...)
 	NOT-FOR-US: Bixie Portfolio plugin for Pagekit
 CVE-2018-18086 (EmpireCMS v7.5 has an arbitrary file upload vulnerability in the ...)
@@ -36539,8 +36540,11 @@ CVE-2018-5786 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop an
 	NOTE: https://github.com/ckolivas/lrzip/issues/91
 CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer overflow caused by an ...)
 	- openjpeg2 <unfixed> (low; bug #888533)
+	[jessie] - openjpeg2 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1057
 	NOTE: https://github.com/uclouvain/openjpeg/commit/ca16fe55014c57090dd97369256c7657aeb25975
+	NOTE: vulnerable code introduced in
+	NOTE: https://github.com/uclouvain/openjpeg/commit/33a0e66eb129c4e91b555a6b8dd9eab512fbfeb8
 CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the ...)
 	{DLA-1411-1 DLA-1391-1}
 	- tiff 4.0.9-4 (bug #890441)
@@ -49040,6 +49044,7 @@ CVE-2017-17481
 CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...)
 	- openjpeg2 <unfixed> (bug #884738)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1044
+	NOTE: https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62
 CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...)
 	- openjpeg2 <unfixed> (unimportant)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1044



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37127a302c05120b8e33f357835419f2263a7456

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37127a302c05120b8e33f357835419f2263a7456
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181119/3225d297/attachment.html>