[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-17282/exiv2

Salvatore Bonaccorso carnil at debian.org
Sat Oct 13 13:14:16 BST 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e4904ff7 by Salvatore Bonaccorso at 2018-10-13T12:06:01Z
Update information on CVE-2018-17282/exiv2

Upstream commit

https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55

tries to allocate correct amount of memory for the ICC profile, but does
not perform a NULL check on "pos->count()*pos->typeSize()".

It might be sensible to check if pos->count() can posssibly be NULL,
then the issue, or a variant of it might be present in 0.26-1 as well
(in experimental), but not in the 0.25 based version in unstable.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2410,9 +2410,10 @@ CVE-2018-17284
 CVE-2018-17283 (Zoho ManageEngine OpManager before 12.3 Build 123196 does not require ...)
 	NOT-FOR-US: Zoho ManageEngine OpManager
 CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function ...)
-	- exiv2 <undetermined>
+	- exiv2 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/Exiv2/exiv2/issues/457
-	NOTE: https://github.com/Exiv2/exiv2/commit/670fb73dd5ee8acab90971c4878de29f9fc43a02
+	NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/670fb73dd5ee8acab90971c4878de29f9fc43a02
+	NOTE: Introduced with: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55
 CVE-2018-17407 (An issue was discovered in t1_check_unusual_charstring functions in ...)
 	{DSA-4299-1 DLA-1514-1}
 	- texlive-bin 2018.20180907.48586-2 (bug #909317)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e4904ff790f1efe8959a4b628443f1e8cb1c8fcd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e4904ff790f1efe8959a4b628443f1e8cb1c8fcd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181013/9af6b292/attachment.html>

More information about the debian-security-tracker-commits mailing list