[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-19847/libspiro

Salvatore Bonaccorso carnil at debian.org
Mon Dec 23 15:59:16 GMT 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4d5e37e0 by Salvatore Bonaccorso at 2019-12-23T15:57:31Z
Update information on CVE-2019-19847/libspiro

The issue is actually in an exported function, spiro_to_bpath0, but it's
not in the 'advertised' API. Cf.
https://github.com/fontforge/libspiro/issues/21#issuecomment-567983822 .
But no users seem present of the respective problematic function and as
such opted to mark it with negligible impact.

Safer might be to actually revert this, and mark it no-dsa.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -875,9 +875,11 @@ CVE-2019-19849 (An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.1
 CVE-2019-19848 (An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and ...)
 	NOT-FOR-US: TYPO3
 CVE-2019-19847 (Libspiro through 20190731 has a stack-based buffer overflow in the spi ...)
-	- libspiro <unfixed>
+	- libspiro <unfixed> (unimportant)
 	[jessie] - libspiro <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/fontforge/libspiro/issues/21
+	NOTE: https://github.com/fontforge/libspiro/issues/21#issuecomment-567983822
+	NOTE: https://github.com/fontforge/libspiro/commit/35233450c922787dad42321e359e5229ff470a1e
 CVE-2019-19846 (In Joomla! before 3.9.14, the lack of validation of configuration para ...)
 	NOT-FOR-US: Joomla!
 CVE-2019-19845 (In Joomla! before 3.9.14, a missing access check in framework files co ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d5e37e0dc075b6da390cac870875b602f2be191

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d5e37e0dc075b6da390cac870875b602f2be191
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191223/1448a56c/attachment.html>

More information about the debian-security-tracker-commits mailing list