[Git][security-tracker-team/security-tracker][master] 2 commits: CVEs have been fixed

Thorsten Alteholz alteholz at debian.org
Thu Mar 28 21:19:44 GMT 2019 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d480adf6 by Thorsten Alteholz at 2019-03-28T21:17:57Z
CVEs have been fixed

- - - - -
a77a1a84 by Thorsten Alteholz at 2019-03-28T21:18:38Z
Reserve DLA-1734-1 for libraw

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -64199,19 +64199,16 @@ CVE-2018-5820 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android
 CVE-2018-5819 (An error within the "parse_sinar_ia()" function (internal/dcraw_common ...)
 	- libraw 0.19.1-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <ignored> (Minor issue)
 	NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html
 	NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6
 CVE-2018-5818 (An error within the "parse_rollei()" function (internal/dcraw_common.c ...)
 	- libraw 0.19.1-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <ignored> (Minor issue)
 	NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html
 	NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6
 CVE-2018-5817 (A type confusion error within the "unpacked_load_raw()" function withi ...)
 	- libraw 0.19.1-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <ignored> (Minor issue)
 	NOTE: https://www.flexera.com/company/secunia-research/advisories/SR-2018-27.html
 	NOTE: https://github.com/LibRaw/LibRaw/commit/9eb76dc153f5acf42ec7325a33fe7ccdcadaf8d6
 CVE-2018-5816 (An integer overflow error within the "identify()" function (internal/d ...)
@@ -64260,7 +64257,6 @@ CVE-2018-5809 (An error within the "LibRaw::parse_exif()" function (internal/dcr
 CVE-2018-5808 (An error within the "find_green()" function (internal/dcraw_common.cpp ...)
 	- libraw 0.18.11-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <ignored> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-9/
 	NOTE: https://github.com/LibRaw/LibRaw/commit/fd6330292501983ac75fe4162275794b18445bd9
 CVE-2018-5807 (An error within the "samsung_load_raw()" function (internal/dcraw_comm ...)
@@ -64290,21 +64286,18 @@ CVE-2018-5803 (In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.1
 CVE-2018-5802 (An error within the "kodak_radc_load_raw()" function (internal/dcraw_c ...)
 	- libraw 0.18.7-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <ignored> (Minor issue)
 	NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt
 	NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4
 CVE-2018-5801 (An error within the "LibRaw::unpack()" function (src/libraw_cxx.cpp) i ...)
 	- libraw 0.18.7-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <ignored> (Minor issue)
 	NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt
 	NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4
 CVE-2018-5800 (An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" functi ...)
 	- libraw 0.18.7-1
 	[stretch] - libraw <no-dsa> (Minor issue)
-	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <ignored> (Minor issue)
 	NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt
 	NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[28 Mar 2019] DLA-1734-1 libraw - security update
+	{CVE-2018-5800 CVE-2018-5801 CVE-2018-5802 CVE-2018-5808 CVE-2018-5817 CVE-2018-5818 CVE-2018-5819}
+	[jessie] - libraw 0.16.0-9+deb8u4
 [28 Mar 2019] DLA-1733-1 wpa - security update
 	{CVE-2016-10743}
 	[jessie] - wpa 2.3-1+deb8u7


=====================================
data/dla-needed.txt
=====================================
@@ -56,16 +56,6 @@ libmatio (Adrian Bunk)
   NOTE: fairly high number of open issues. Not sure why we never had a look at them.
   NOTE: triage work needed, help security team for fixes if needed.
 --
-libraw (Thorsten Alteholz)
-  NOTE: 20181222: As usual please consider to fix ignored/no-dsa issues too,
-  NOTE: especially those that are still marked vulnerable in Stretch but also
-  NOTE: the stack-based and heap-based overflow issues. (apo)
-  NOTE: 20190114: Ton of issues, I couldn't reproduce most of them. CVE-2017-13735 
-  NOTE: is reproducible even after upstream patch.
-  NOTE: 20190202: Marked CVE-2017-14348, CVE-2018-20337, CVE-2018-20363, CVE-2018-20364
-  NOTE: and CVE-2018-20365 as no DSA.
-  NOTE: 20190317: still wading through CVEs
---
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9416453be4a2bbb0adb61e076eacce4cae0c867e...a77a1a84d073fd108d58225c093bc6ef4a17382e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9416453be4a2bbb0adb61e076eacce4cae0c867e...a77a1a84d073fd108d58225c093bc6ef4a17382e
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190328/db9383a0/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list