[Git][security-tracker-team/security-tracker][master] data/{dla-needed.txt,CVE/list}: CVE-2019-2201/libjpeg-turbo only gets...
Mike Gabriel
sunweaver at debian.org
Thu Dec 19 13:58:58 GMT 2019
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker
Commits:
54231ea5 by Mike Gabriel at 2019-12-19T13:58:25Z
data/{dla-needed.txt,CVE/list}: CVE-2019-2201/libjpeg-turbo only gets triggered via TurboJPEG API. There is no package in Debian jessie that uses the TurboJPEG API, thus setting CVE-2019-2201 to <ignored> for jessie.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -58576,6 +58576,7 @@ CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible
NOT-FOR-US: Android media framework
CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is ...)
- libjpeg-turbo <unfixed>
+ [jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
NOTE: https://source.android.com/security/bulletin/2019-11-01
NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
=====================================
data/dla-needed.txt
=====================================
@@ -44,12 +44,6 @@ libexif
libjackson-json-java (Adrian Bunk)
NOTE: 20191216: work is ongoing
--
-libjpeg-turbo (Mike Gabriel)
- NOTE: 20191125: Huh, too big a patch; checking what works and what doesn't. (utkarsh2102)
- NOTE: 20191216: Read the patch for CVE-2019-2201. It is possible to reduce it to just throw (ola)
- NOTE: 20191216: an error for large images but then gigabit images will not be supported and (ola)
- NOTE: 20191216: the threshold for support needs to be determined in that case. (ola)
---
libmatio (Adrian Bunk)
NOTE: fairly high number of open issues. Not sure why we never had a look at them.
NOTE: triage work needed, help security team for fixes if needed.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54231ea5aa51b01bb46490c5a3e5c67bfa6149cc
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54231ea5aa51b01bb46490c5a3e5c67bfa6149cc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191219/82f09c78/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list