[Git][security-tracker-team/security-tracker][master] Update radare2 information for CVE-2019-16718 and CVE-2019-14745

Salvatore Bonaccorso carnil at debian.org
Mon Sep 23 21:41:46 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8264ae9e by Salvatore Bonaccorso at 2019-09-23T20:39:33Z
Update radare2 information for CVE-2019-16718 and CVE-2019-14745

CVE-2019-16718 exists due to incomplete fixes to CVE-2019-14745. In
Debian the later was not yet fixed, thus CVE-2019-16718 is not affecting
the source in Debian, mark it as such.

Expand note for CVE-2019-14745 to make clear that further commits are
needed to not open CVE-2019-16718.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18,7 +18,7 @@ CVE-2019-16720 (ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in p
 CVE-2019-16719 (WTCMS 1.0 allows index.php?g=admin&m=index&a=index CSRF with r ...)
 	NOT-FOR-US: WTCMS
 CVE-2019-16718 (In radare2 before 3.9.0, a command injection vulnerability exists in b ...)
-	TODO: check
+	- radare2 <not-affected> (Incomplete fixes for CVE-2019-14745 not applied)
 CVE-2019-16717
 	RESERVED
 CVE-2019-16716
@@ -5625,6 +5625,10 @@ CVE-2019-14745 (In radare2 before 3.7.0, a command injection vulnerability exist
 	[buster] - radare2 <no-dsa> (Minor issue)
 	[stretch] - radare2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/radare/radare2/pull/14690
+	NOTE: When fixing this ussue make sure to not only apply the initial commits but
+	NOTE: as well the followups to avoid opening CVE-2019-16718:
+	NOTE: https://github.com/radareorg/radare2/commit/5411543a310a470b1257fb93273cdd6e8dfcb3af
+	NOTE: https://github.com/radareorg/radare2/commit/dd739f5a45b3af3d1f65f00fe19af1dbfec7aea7
 CVE-2019-14744 (In KDE Frameworks KConfig before 5.61.0, malicious desktop files and c ...)
 	{DSA-4494-1 DLA-1890-1}
 	- kconfig 5.54.0-2 (bug #934267)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8264ae9e34bab52b33e319c3f558c7ea1efd2b94

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8264ae9e34bab52b33e319c3f558c7ea1efd2b94
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190923/7fbaa5a9/attachment.html>

More information about the debian-security-tracker-commits mailing list