[Git][security-tracker-team/security-tracker][master] mark CVE-2019-7443 no-dsa in jessie

Hugo Lefeuvre hle at debian.org
Wed Mar 20 08:57:54 GMT 2019 

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9fcbaf88 by Hugo Lefeuvre at 2019-03-20T08:43:15Z
mark CVE-2019-7443 no-dsa in jessie

This patch removes support for passing gui variants to kauth helpers
but this "feature" was not used by any part of the official KDE source
code.

This basically means that this patch only impacts hypothetical 3rd
party helpers which we cannot test.

As far as I investigated the source code, applying the kauth patch to
kde4libs should not be a problem, but there are still some regression
risks and given the low impact I'd rather mark it no-dsa.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5825,6 +5825,7 @@ CVE-2019-7443 [Insecure handling of arguments in helpers]
 	[stretch] - kauth <no-dsa> (Minor issue, will be fixed in a point release)
 	- kde4libs <unfixed> (bug #922727)
 	[stretch] - kde4libs <no-dsa> (Minor issue)
+	[jessie] - kde4libs <no-dsa> (Minor issue)
 	NOTE: https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
 	NOTE: https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
 CVE-2019-7442


=====================================
data/dla-needed.txt
=====================================
@@ -41,10 +41,6 @@ imagemagick (Roberto C. Sánchez)
   NOTE: Performed preliminary backport build (positive result), and sent inquiry
   NOTE: to security team requesting guidance on how to proceed. (roberto)
 --
-kde4libs (Hugo Lefeuvre)
-  NOTE: 20190317: not sure kauth fix works for kde4libs, requires some testing, still working on it
-  NOTE: 20190319: need to make it clear, contacted upstream, see debian-lts ml
---
 libav
   NOTE: 20190131: Re-added after ~deb8u5 upload. Still not done, yet.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fcbaf88089761823d0b83cd4f3e8c8fc668aa66

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fcbaf88089761823d0b83cd4f3e8c8fc668aa66
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190320/0d9f99a2/attachment.html>

More information about the debian-security-tracker-commits mailing list