[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-17229/CVE-2018-17230 in exiv2

Salvatore Bonaccorso carnil at debian.org
Sun Oct 14 13:47:50 BST 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4fb0cae0 by Salvatore Bonaccorso at 2018-10-14T12:47:00Z
Update information on CVE-2018-17229/CVE-2018-17230 in exiv2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2536,11 +2536,23 @@ CVE-2018-17231 (** DISPUTED ** Telegram Desktop (aka tdesktop) 1.3.14 might allo
 	- telegram-desktop <unfixed> (unimportant)
 	NOTE: Disputed as attack scenario does not cross a privilege boundary.
 CVE-2018-17230 (Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to ...)
-	- exiv2 <undetermined>
+	[experimental] - exiv2 <unfixed>
+	- exiv2 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/Exiv2/exiv2/issues/455
+	NOTE: Introduced in: https://github.com/Exiv2/exiv2/commit/3d57bbc6e6036723df3c7da352e40267c90d1640
+	NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55
+	NOTE: Some extra care needs to be applied when fixing isolately the issue in
+	NOTE: experimental, as the commit afb98cbc6e288dc8ea75f3394a347fb9b37abc55
+	NOTE: would introduce/uncover CVE-2018-17282.
 CVE-2018-17229 (Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to ...)
-	- exiv2 <undetermined>
+	[experimental] - exiv2 <unfixed>
+	- exiv2 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/Exiv2/exiv2/issues/453
+	NOTE: Introduced in: https://github.com/Exiv2/exiv2/commit/3d57bbc6e6036723df3c7da352e40267c90d1640
+	NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/afb98cbc6e288dc8ea75f3394a347fb9b37abc55
+	NOTE: Some extra care needs to be applied when fixing isolately the issue in
+	NOTE: experimental, as the commit afb98cbc6e288dc8ea75f3394a347fb9b37abc55
+	NOTE: would introduce/uncover CVE-2018-17282.
 CVE-2018-17228 (nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell ...)
 	NOT-FOR-US: nmap4j
 CVE-2018-17227



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fb0cae02fea5fc65205cc7e4e731877ad26eef7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fb0cae02fea5fc65205cc7e4e731877ad26eef7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181014/562c07e0/attachment.html>

More information about the debian-security-tracker-commits mailing list