[Git][security-tracker-team/security-tracker][master] CVE-2018-17432/hdf5: mark unfixed

Hugo Lefeuvre hle at debian.org
Sat May 25 07:16:52 BST 2019 


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
31a793b9 by Hugo Lefeuvre at 2019-05-25T06:16:40Z
CVE-2018-17432/hdf5: mark unfixed

After discussion with upstream:
+ CVE-2018-17432 still affecting 1.10 and 1.8 branches
+ fix scheduled for next point release

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -38155,8 +38155,10 @@ CVE-2018-17433 (A heap-based buffer overflow in ReadGifImageDesc() in gifread.c
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln8#heap-overflow-in-readgifimagedesc
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10592
 CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in  ...)
-	- hdf5 <undetermined>
+	- hdf5 <unfixed>
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode
+	NOTE: upstream bug tracker (not public): https://jira.hdfgroup.org/browse/HDFFV-10590
+	NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8)
 CVE-2018-17431 (Web Console in Comodo UTM Firewall before 2.7.0 allows remote attacker ...)
 	NOT-FOR-US: Comodo UTM
 CVE-2018-17430


=====================================
data/dla-needed.txt
=====================================
@@ -31,9 +31,6 @@ faad2 (Hugo Lefeuvre)
 freeimage
 --
 hdf5 (Hugo Lefeuvre)
-  NOTE: CVE-2018-17432: upstream claims to have fixed this in 1.10.5 (issue HDF-10590)
-  NOTE: but not mentioned in release notes + no commit directly mentioning the issue
-  NOTE: -> ask them for more information.
   NOTE: 20190511: upstream was not aware of our undetermined issues. They have assigned
   NOTE: a Jira issue for this: https://jira.hdfgroup.org/browse/HDFFV-10755 (hle)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31a793b915703408802b320a2a331a3d7fe213be

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/31a793b915703408802b320a2a331a3d7fe213be
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190525/864b594e/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list