[Git][security-tracker-team/security-tracker][master] buster triage

Mon Mar 18 22:11:56 GMT 2019

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0efc30d2 by Moritz Muehlenhoff at 2019-03-18T22:11:15Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1557,6 +1557,7 @@ CVE-2019-9210 (In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an int
 	NOTE: Fixed by https://github.com/amadvance/advancecomp/commit/fcf71a89265c78fc26243574dda3a872574a5c02
 CVE-2018-20797 (An issue was discovered in PoDoFo 0.9.6. There is an attempted excessi ...)
 	- libpodofo <unfixed> (low; bug #923415)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/34/
@@ -3641,10 +3642,9 @@ CVE-2019-8345 (The Help feature in the ES File Explorer File Manager application
 CVE-2019-8344
 	RESERVED
 CVE-2019-8343 (In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in past ...)
-	- nasm <unfixed> (bug #922433)
-	[stretch] - nasm <no-dsa> (Minor issue)
-	[jessie] - nasm <no-dsa> (Minor issue)
+	- nasm <unfixed> (unimportant; bug #922433)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392556
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-8342
 	RESERVED
 CVE-2019-8341 (An issue was discovered in Jinja2 2.10. The from_string function is pr ...)
@@ -15319,10 +15319,9 @@ CVE-2018-20539 (There is a Segmentation fault triggered by illegal address acces
 	[jessie] - liblas <no-dsa> (Minor issue)
 	NOTE: https://github.com/libLAS/libLAS/issues/159
 CVE-2018-20538 (There is a use-after-free at asm/preproc.c (function pp_getline) in Ne ...)
-	- nasm <unfixed> (bug #918269)
-	[stretch] - nasm <no-dsa> (Minor issue)
-	[jessie] - nasm <no-dsa> (Minor issue)
+	- nasm <unfixed> (unimportant; bug #918269)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392531
+	NOTE: Crash in CLI tool, no security impact
 CVE-2018-20537 (There is a NULL pointer dereference at liblas::SpatialReference::GetGT ...)
 	- liblas <unfixed> (low; bug #924614)
 	[buster] - liblas <no-dsa> (Minor issue)
@@ -15336,10 +15335,9 @@ CVE-2018-20536 (There is a heap-based buffer over-read at liblas::SpatialReferen
 	[jessie] - liblas <no-dsa> (Minor issue)
 	NOTE: https://github.com/libLAS/libLAS/issues/161
 CVE-2018-20535 (There is a use-after-free at asm/preproc.c (function pp_getline) in Ne ...)
-	- nasm <unfixed> (bug #918270)
-	[stretch] - nasm <no-dsa> (Minor issue)
-	[jessie] - nasm <no-dsa> (Minor issue)
+	- nasm <unfixed> (unimportant; bug #918270)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392530
+	NOTE: Crash in CLI tool, no security impact
 CVE-2018-20534 (There is an illegal address access at src/pool.h (function pool_whatpr ...)
 	- libsolv <unfixed> (low; bug #923002)
 	[stretch] - libsolv <ignored> (Minor issue)
@@ -19964,10 +19962,9 @@ CVE-2018-20007
 CVE-2018-20006 (An issue was discovered in PHPok v5.0.055. There is a Stored XSS vulne ...)
 	NOT-FOR-US: PHPok
 CVE-2018-20005 (An issue has been found in Mini-XML (aka mxml) 2.12. It is a use-after ...)
-	- mxml <unfixed> (low)
-	[stretch] - mxml <no-dsa> (Minor issue)
-	[jessie] - mxml <ignored> (Minor issue)
+	- mxml <unfixed> (unimportant)
 	NOTE: https://github.com/michaelrsweet/mxml/issues/234
+	NOTE: Crash in mxmldoc CLI tool, no security impact
 CVE-2018-20004 (An issue has been found in Mini-XML (aka mxml) 2.12. It is a stack-bas ...)
 	{DLA-1641-1}
 	- mxml 2.12-2 (low; bug #918007)
@@ -21505,11 +21502,10 @@ CVE-2018-19757 (There is a NULL pointer dereference at function sixel_helper_set
 CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function: stbi_ ...)
 	TODO: check
 CVE-2018-19755 (There is an illegal address access at asm/preproc.c (function: is_mmac ...)
-	- nasm <unfixed> (bug #915087)
-	[stretch] - nasm <no-dsa> (Minor issue)
-	[jessie] - nasm <no-dsa> (Minor issue)
+	- nasm <unfixed> (unimportant; bug #915087)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392528
 	NOTE: https://repo.or.cz/nasm.git/commit/3079f7966dbed4497e36d5067cbfd896a90358cb
+	NOTE: Crash in CLI tool, no security impact
 CVE-2018-19754 (Tarantella Enterprise before 3.11 allows bypassing Access Control. ...)
 	NOT-FOR-US: Tarantella Enterprise
 CVE-2018-19753 (Tarantella Enterprise before 3.11 allows Directory Traversal. ...)
@@ -34539,12 +34535,9 @@ CVE-2018-15891
 CVE-2018-15890
 	RESERVED
 CVE-2018-15889 (In podofo 0.9.6, the function PoDoFo::PdfParser::ReadObjects() in base ...)
-	- libpodofo <unfixed> (low; bug #916167)
-	[stretch] - libpodofo <no-dsa> (Minor issue)
-	[jessie] - libpodofo <no-dsa> (Minor issue)
+	NOTE: Duplicate of CVE-2018-5783
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620065
 	NOTE: https://sourceforge.net/p/podofo/tickets/27/
-	NOTE: upstream thinks this could be a duplicate of CVE-2018-5783
 CVE-2018-15888 (An issue was discovered in ASPCMS 2.5.6. When registering ordinary use ...)
 	NOT-FOR-US: ASPCMS
 CVE-2017-18346
@@ -55377,6 +55370,7 @@ CVE-2018-8003 (Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a direc
 	NOT-FOR-US: Apache Ambari
 CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfPar ...)
 	- libpodofo <unfixed> (low; bug #892557)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	[wheezy] - libpodofo <no-dsa> (Minor issue)
@@ -67865,6 +67859,7 @@ CVE-2017-18009 (In OpenCV 3.3.1, a heap-based buffer over-read exists in the fun
 	[wheezy] - opencv <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/opencv/opencv/issues/10479
 	NOTE: Introduced after: https://github.com/opencv/opencv/commit/7469c935f3ec8e9fe4f56b7eed07b284b7b7b5df
+	NOTE: Fixed: https://github.com/opencv/opencv/commit/4ca89db22dea962690f31c1781bce5937ee91837
 CVE-2017-18008 (In ImageMagick 7.0.7-17 Q16, there is a Memory Leak in ReadPWPImage in ...)
 	- imagemagick 8:6.9.9.34+dfsg-3 (unimportant)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/921
@@ -103840,7 +103835,8 @@ CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill functio
 	NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
 	NOTE: https://github.com/openexr/openexr/issues/232
 CVE-2017-9113 (In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels ...)
-	- openexr <unfixed> (bug #873885)
+	- openexr <unfixed> (low; bug #873885)
+	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	[wheezy] - openexr <no-dsa> (Minor issue)
@@ -103855,6 +103851,7 @@ CVE-2017-9112 (In OpenEXR 2.2.0, an invalid read of size 1 in the getBits functi
 	NOTE: https://github.com/openexr/openexr/issues/232
 CVE-2017-9111 (In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function  ...)
 	- openexr <unfixed> (bug #873885)
+	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	[wheezy] - openexr <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0efc30d291b5d4570f402a823f3cb558208a3097

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0efc30d291b5d4570f402a823f3cb558208a3097
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190318/a366c402/attachment.html>
