[Git][security-tracker-team/security-tracker][master] new nouveau issue

Moritz Muehlenhoff jmm at debian.org
Wed Apr 17 13:20:09 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
25da1a2f by Moritz Muehlenhoff at 2019-04-17T12:19:04Z
new nouveau issue
older im issue confirmed im7 only by upstream
several xpdf issues confirmed unaffected wrt poppler

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3811,9 +3811,9 @@ CVE-2019-9880
 CVE-2019-9879
 	RESERVED
 CVE-2019-9878 (There is an invalid memory access in the function GfxIndexedColorSpace ...)
-	TODO: check
+	- xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
 CVE-2019-9877 (There is an invalid memory access vulnerability in the function TextPa ...)
-	TODO: check
+	- xpdf <not-affected> (xpdf in Debian uses poppler, which doesn't contain the vulnerable code)
 CVE-2019-9876
 	RESERVED
 CVE-2019-9875
@@ -4689,11 +4689,11 @@ CVE-2019-9591 (A reflected Cross-site scripting (XSS) vulnerability in ShoreTel
 CVE-2019-9590 (An issue was discovered on TENGCONTROL T-920 PLC v5.5 devices. It allo ...)
 	NOT-FOR-US: TENGCONTROL devices
 CVE-2019-9589 (There is a NULL pointer dereference vulnerability in PSOutputDev::setu ...)
-	TODO: check
+	- xpdf <not-affected> (xpdf in Debian uses poppler, which doesn't contain the vulnerable code)
 CVE-2019-9588 (There is an Invalid memory access in gAtomicIncrement() located at GMu ...)
-	TODO: check
+	- xpdf <not-affected> (xpdf in Debian uses poppler, which doesn't contain the vulnerable code)
 CVE-2019-9587 (There is a stack consumption issue in md5Round1() located in Decrypt.c ...)
-	TODO: check
+	- xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
 CVE-2019-9586
 	RESERVED
 CVE-2019-9585
@@ -38016,14 +38016,9 @@ CVE-2018-16331 (admin.php?s=/Admin/doedit in DamiCMS v6.0.0 allows CSRF to chang
 CVE-2018-16330 (Pandao Editor.md 1.5.0 allows XSS via crafted attributes of an invalid ...)
 	NOT-FOR-US: Pandao Editor.md
 CVE-2018-16329 (In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in th ...)
-	- imagemagick <undetermined>
-	[jessie] - imagemagick <not-affected> (vulnerable code not present)
+	- imagemagick <not-affected> (Only affects 7.x)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1225
-	NOTE: Only in the 7.x series the assert statement was changed so the statement would
-	NOTE: be true even if image is NULL, but image_info is not:
-	NOTE: https://github.com/ImageMagick/ImageMagick/commit/db2a1d6aaff3a83a74b37731405424c95f0c873a
 	NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/2c75f301d9ac84f91071393b02d8c88c8341c91c
-	TODO: check if though missing null checks are present as well in 6.x series
 CVE-2018-16328 (In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in th ...)
 	- imagemagick 8:6.9.10.8+dfsg-1
 	[stretch] - imagemagick <not-affected> (Vulnerable code introduced later)
@@ -47842,14 +47837,12 @@ CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could dele
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1100217
 	NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
 	NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
-	TODO: check if introducing commit is right and fix status
 CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated users to  ...)
 	- open-build-service <unfixed> (bug #911797)
 	[stretch] - open-build-service <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934
 	NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
 	NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
-	TODO: check if introducing commit is right and fix status
 CVE-2018-12465 (An OS command injection vulnerability in the web administration compon ...)
 	NOT-FOR-US: Micro Focus
 CVE-2018-12464 (A SQL injection vulnerability in the web administration and quarantine ...)
@@ -71817,7 +71810,10 @@ CVE-2018-3981 (An exploitable out-of-bounds write exists in the TIFF-parsing fun
 CVE-2018-3980 (An exploitable out-of-bounds write exists in the TIFF-parsing function ...)
 	NOT-FOR-US: Canvas Draw
 CVE-2018-3979 (A remote denial-of-service vulnerability exists in the way the Nouveau ...)
-	TODO: check
+	- xserver-xorg-video-nouveau <unfixed> (low)
+	[buster] - xserver-xorg-video-nouveau <ignored> (Minor issue)
+	[stretch] - xserver-xorg-video-nouveau <ignored> (Minor issue)
+	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0647
 CVE-2018-3978 (An exploitable out-of-bounds write vulnerability exists in the Word Do ...)
 	NOT-FOR-US: Atlantis Word Processor
 CVE-2018-3977 (An exploitable code execution vulnerability exists in the XCF image re ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/25da1a2f8fe186cb39da9a7089e2a462d37b5243

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/25da1a2f8fe186cb39da9a7089e2a462d37b5243
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190417/c71ffcbd/attachment.html>

More information about the debian-security-tracker-commits mailing list