[Git][security-tracker-team/security-tracker][master] 2 commits: Concluded that the mentioned code is in place for jessie but the vulnerability...

Ola Lundqvist opal at debian.org
Sun Jan 19 21:28:38 GMT 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
87322fcf by Ola Lundqvist at 2020-01-19T22:12:38+01:00
Concluded that the mentioned code is in place for jessie but the vulnerability is minor. It is possible to execute arbitrary arithmetic expression but not arbitrary expression.

- - - - -
5051c52b by Ola Lundqvist at 2020-01-19T22:28:08+01:00
CVE-2019-19918 and CVE-2019-19917 are marked as no-dsa for Buster and Stretch. No reason to treat Jessie differently. Since there are just two CVEs for lout the package is also removed from dla-needed.txt.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7878,11 +7878,13 @@ CVE-2019-19918 (Lout 3.40 has a heap-based buffer overflow in the srcnext() func
 	- lout <unfixed> (bug #947113)
 	[buster] - lout <no-dsa> (Minor issue)
 	[stretch] - lout <no-dsa> (Minor issue)
+	[jessie] - lout <ignored> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/lout-users/2019-12/msg00001.html
 CVE-2019-19917 (Lout 3.40 has a buffer overflow in the StringQuotedWord() function in  ...)
 	- lout <unfixed> (bug #947113)
 	[buster] - lout <no-dsa> (Minor issue)
 	[stretch] - lout <no-dsa> (Minor issue)
+	[jessie] - lout <ignored> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/lout-users/2019-12/msg00002.html
 CVE-2020-3939
 	RESERVED
@@ -29598,7 +29600,10 @@ CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50,
 CVE-2019-14868 [environment variables on startup are interpreted as arithmetic expression leading to code injection]
 	RESERVED
 	- ksh 2020.0.0-2.1 (bug #948989)
+	[jessie] - ksh <ignored> (Minor issue)
 	NOTE: https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
+	NOTE: It is possible to execute arbitrary arithmetic expression but not arbitrary expression. Jessie
+	NOTE: and buster tested so far. (opal) Due to this marked as minor issue for jessie.
 CVE-2019-14867 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x ve ...)
 	- freeipa 4.8.3-1
 	[buster] - freeipa <no-dsa> (Minor issue; can be fixed via point release)


=====================================
data/dla-needed.txt
=====================================
@@ -40,10 +40,6 @@ ibus
 jackson-databind
   NOTE: 20200105: Can be postponed again. (apo)
 --
-ksh
-  NOTE: 20200118: Upstream patch doesn't apply at all, but not clear if
-  NOTE: 20200118: or not. Thus, deeper triaging required. (sunweaver)
---
 libexif (Hugo Lefeuvre)
   NOTE: 20191111: Contacted upstream for relevant commits of CVE-2019-9278. (utkarsh2102)
   NOTE: 20191114: Pinged upstream; just have the Android patch yet. (utkarsh2102)
@@ -75,15 +71,6 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-lout
-  NOTE: 20191221: Package is orphaned and has similar version in unstable.
-  NOTE: 20191221: Upstream maintenance may have ceased to exist, too.
-  NOTE: 20191221: If we fix it in jessie LTS, we should als NMU those fixes
-  NOTE: 20191221: to unstable. (sunweaver)
-  NOTE: 20191221: https://lists.gnu.org/archive/html/lout-users/2019-12/msg00005.html
-  NOTE: 20191221: (-> at least someone is still active on lout, providing some
-  NOTE: 20191221: patches, not related to the open CVEs, though)
---
 nss (Markus Koschany)
 --
 opendmarc (Thorsten Alteholz)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b25c30c0a23f30d378c1e31169ebf8005c207ced...5051c52bfa35dac18e7e96145af84a0fc6965602

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b25c30c0a23f30d378c1e31169ebf8005c207ced...5051c52bfa35dac18e7e96145af84a0fc6965602
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200119/3667f8b5/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list