[Git][security-tracker-team/security-tracker][master] data/{dla-needed.txt,CVE/list}: CVE-2019-2201/libjpeg-turbo only gets...

Mike Gabriel sunweaver at debian.org
Thu Dec 19 13:58:58 GMT 2019



Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
54231ea5 by Mike Gabriel at 2019-12-19T13:58:25Z
data/{dla-needed.txt,CVE/list}: CVE-2019-2201/libjpeg-turbo only gets triggered via TurboJPEG API. There is no package in Debian jessie that uses the TurboJPEG API, thus setting CVE-2019-2201 to <ignored> for jessie.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -58576,6 +58576,7 @@ CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible
 	NOT-FOR-US: Android media framework
 CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is ...)
 	- libjpeg-turbo <unfixed>
+	[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
 	NOTE: https://source.android.com/security/bulletin/2019-11-01
 	NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361


=====================================
data/dla-needed.txt
=====================================
@@ -44,12 +44,6 @@ libexif
 libjackson-json-java (Adrian Bunk)
   NOTE: 20191216: work is ongoing
 --
-libjpeg-turbo (Mike Gabriel)
-  NOTE: 20191125: Huh, too big a patch; checking what works and what doesn't. (utkarsh2102)
-  NOTE: 20191216: Read the patch for CVE-2019-2201. It is possible to reduce it to just throw (ola)
-  NOTE: 20191216: an error for large images but then gigabit images will not be supported and (ola)
-  NOTE: 20191216: the threshold for support needs to be determined in that case. (ola)
---
 libmatio (Adrian Bunk)
   NOTE: fairly high number of open issues. Not sure why we never had a look at them.
   NOTE: triage work needed, help security team for fixes if needed.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54231ea5aa51b01bb46490c5a3e5c67bfa6149cc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54231ea5aa51b01bb46490c5a3e5c67bfa6149cc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191219/82f09c78/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list