[Git][security-tracker-team/security-tracker][master] new exiv issues

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
81a13aa6 by Moritz Muehlenhoff at 2019-07-02T10:08:13Z
new exiv issues
NFUs
new tor browser issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -49,11 +49,11 @@ CVE-2019-13129 (On the Motorola router CX2L MWR04L 1.01, there is a stack consum
 CVE-2019-13128 (An issue was discovered on D-Link DIR-823G devices with firmware 1.02B ...)
 	NOT-FOR-US: D-Link
 CVE-2019-13127 (An issue was discovered in mxGraph through 4.0.0, related to the "draw ...)
-	TODO: check
+	NOT-FOR-US: mxGraph
 CVE-2019-13126
 	RESERVED
 CVE-2019-13125 (HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evad ...)
-	TODO: check
+	NOT-FOR-US: Tencent
 CVE-2019-13124
 	RESERVED
 CVE-2019-13123
@@ -81,19 +81,46 @@ CVE-2019-13116
 CVE-2019-13115
 	RESERVED
 CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to cause ...)
-	TODO: check
+	- exiv2 <unfixed> (low)
+	[buster] - exiv2 <ignored> (Minor issue)
+	[stretch] - exiv2 <ignored> (Minor issue)
+	NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72
+	NOTE: https://github.com/Exiv2/exiv2/issues/793
 CVE-2019-13113 (Exiv2 through 0.27.1 allows an attacker to cause a denial of service ( ...)
-	TODO: check
+	- exiv2 <unfixed> (unimportant)
+	NOTE: https://github.com/Exiv2/exiv2/commit/6212806b7637be683a56c769a8d905153996d933
+	NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72
+	NOTE: https://github.com/Exiv2/exiv2/issues/841
+	NOTE: Negligible security impact
 CVE-2019-13112 (A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2  ...)
-	TODO: check
+	- exiv2 <unfixed> (low)
+	[buster] - exiv2 <ignored> (Minor issue)
+	[stretch] - exiv2 <ignored> (Minor issue)
+	NOTE: https://github.com/Exiv2/exiv2/commit/1ed1e03c83802547585833fa9d4433af94798778
+	NOTE: https://github.com/Exiv2/exiv2/issues/845
 CVE-2019-13111 (A WebPImage::decodeChunks integer overflow in Exiv2 through 0.27.1 all ...)
-	TODO: check
+	[experimental] - exiv2 <unfixed>
+	- exiv2 <not-affected> (Vulnerable code introduced later)
+	NOTE: https://github.com/Exiv2/exiv2/issues/791
+	NOTE: https://github.com/Exiv2/exiv2/pull/797/commits
 CVE-2019-13110 (A CiffDirectory::readDirectory integer overflow and out-of-bounds read ...)
-	TODO: check
+	- exiv2 <unfixed> (low)
+	[buster] - exiv2 <ignored> (Minor issue)
+	[stretch] - exiv2 <ignored> (Minor issue)
+	NOTE: https://github.com/Exiv2/exiv2/issues/843
+	NOTE: https://github.com/Exiv2/exiv2/commit/9628f82084ed30d494ddd4f7360d233801e22967
 CVE-2019-13109 (An integer overflow in Exiv2 through 0.27.1 allows an attacker to caus ...)
-	TODO: check
+	- exiv2 <unfixed> (low)
+	[buster] - exiv2 <ignored> (Minor issue)
+	[stretch] - exiv2 <ignored> (Minor issue)
+	NOTE: https://github.com/Exiv2/exiv2/commit/491c3ebe3b3faa6d8f75fb28146186792c2439da
+	NOTE: https://github.com/Exiv2/exiv2/issues/790
 CVE-2019-13108 (An integer overflow in Exiv2 through 0.27.1 allows an attacker to caus ...)
-	TODO: check
+	- exiv2 <unfixed> (low)
+	[buster] - exiv2 <ignored> (Minor issue)
+	[stretch] - exiv2 <ignored> (Minor issue)
+	NOTE: https://github.com/Exiv2/exiv2/commit/5d1d6981229b5e44401bf5c503100553fc7d877a
+	NOTE: https://github.com/Exiv2/exiv2/issues/789
 CVE-2019-13107 (Multiple integer overflows exist in MATIO before 1.5.16, related to ma ...)
 	- libmatio <unfixed> (bug #931323)
 	NOTE: Several commits between 1.5.15..1.5.16: https://github.com/tbeu/matio/compare/f8cd397...fabac6c
@@ -160,7 +187,11 @@ CVE-2019-13077
 CVE-2019-13076
 	RESERVED
 CVE-2019-13075 (Tor Browser through 8.5.3 has an information exposure vulnerability. I ...)
-	TODO: check
+	- firefox-esr <unfixed> (unimportant)
+	- firefox <unfixed> (unimportant)
+	NOTE: https://hackerone.com/reports/588239
+	NOTE: https://trac.torproject.org/projects/tor/ticket/30657
+	NOTE: This affects Firefox, but it's not a security issue in Firefox by itself
 CVE-2019-13074
 	RESERVED
 CVE-2019-13073



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81a13aa6c4622f662ee98f146a6c0d97c009e331

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81a13aa6c4622f662ee98f146a6c0d97c009e331
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190702/d2e2bc39/attachment-0001.html>