[Git][security-tracker-team/security-tracker][master] Update entries for CVE-2019-20168 and CVE-2019-20169
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 17 21:38:19 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
18f6f4ff by Salvatore Bonaccorso at 2020-01-17T22:38:06+01:00
Update entries for CVE-2019-20168 and CVE-2019-20169
As the "PoC does not crash" cannot as sole argument be taken for a
not-affected but there was quite some effort put in triaging those I did
not want to revert to unfixed state based on that.
I tried to dig further into the issues to try to find out where exactly
the issue was introduced.
For CVE-2019-20168 the PoC makes the vulnerability visible at least
starting in v0.8.0, the use_dump_mode still was already introduced
earlier (in v0.7.0).
For CVE-2019-20169 the PoC makes at least the issue immediately visible
with the 9ea1fb398916 ("made isobmf dump use source box order") and the
fix applied by upstream directly refers to it. This was verified by
directly bisecting the git repository with telp of the PoC and further
checking the affected code paths.
The end-result is still not fully satisfactory, so further reviewers
take it from here please. CVE-2019-20169 seem good covered,
CVE-2019-20168 might want to need some additional verifications.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4770,12 +4770,15 @@ CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/issues/1328
NOTE: https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03
CVE-2019-20169 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- - gpac <not-affected> (PoC does not crash, fix relates to 'use_dump_mode' introduced in v0.7.0)
+ - gpac <not-affected> (Vulnerability introduced later, fix relates to 'use_dump_mode' introduced in v0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1329
+ NOTE: Introduces use_dump_mode: https://github.com/gpac/gpac/commit/9ea1fb39891669014a6e7592a4422e8de630cdc0 (v0.7.0)
NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb
CVE-2019-20168 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- - gpac <not-affected> (PoC does not crash, fix relates to 'use_dump_mode' introduced in v0.7.0)
+ - gpac <not-affected> (Vulnerability introduced later, fix relates to 'use_dump_mode' introduced in v0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1333
+ NOTE: Introduces use_dump_mode: https://github.com/gpac/gpac/commit/9ea1fb39891669014a6e7592a4422e8de630cdc0 (v0.7.0)
+ NOTE: Uncovers/makes visible the vulnerability: https://github.com/gpac/gpac/commit/697d6afb3cd012d442e12400b6841ebd1256a354 (v0.8.0)
NOTE: https://github.com/gpac/gpac/commit/a8b6246da925cf744805c9427a01fcacb53314bb
CVE-2019-20167 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- gpac <not-affected> (Vulnerable code introduced in development version after v0.8.0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18f6f4ff96f6fef53e09a7a4655ff43af474beb5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18f6f4ff96f6fef53e09a7a4655ff43af474beb5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200117/a5927707/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list