[Git][security-tracker-team/security-tracker][master] Further libstb triage

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
888b0cc7 by Moritz Muehlenhoff at 2020-01-21T23:25:49+01:00
Further libstb triage
Remove preliminary NOTEs, bugs will be filed to address the embedded code
copies, but there's no need to treat any of the current embeds as security
issues in the packages embedding them.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1822,35 +1822,29 @@ CVE-2020-6623 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt
 	NOTE: https://github.com/nothings/stb/issues/865
 	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6622 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
-	- libstb <unfixed> (low)
+	- libstb <unfixed> (low; bug #949559)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/869
-	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6621 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in t ...)
-	- libstb <unfixed> (low)
+	- libstb <unfixed> (low; bug #949558)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/867
-	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6620 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
-	- libstb <unfixed> (low)
+	- libstb <unfixed> (low; bug #949557)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/868
-	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf ...)
-	- libstb <unfixed> (low)
+	- libstb <unfixed> (low; bug #949556)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/863
-	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
-	- libstb <unfixed> (low)
+	- libstb <unfixed> (low; bug #949555)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/866
-	NOTE: Potentially affects mesa, libstb, embree, zynaddsubfx, qemu, godot, sumo, libtcod, box2d, goxel, mame, u-boot, retroarch, dart, zam-plugins, renderdoc
 CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...)
-	- libstb <unfixed> (low)
+	- libstb <unfixed> (low; bug #949554)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/867
-	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6616
 	RESERVED
 CVE-2020-6615 (GNU LibreDWG 0.9.3.2564 has an invalid pointer dereference in dwg_dyna ...)
@@ -69818,11 +69812,9 @@ CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function:
 	[buster] - libsixel 1.8.2-1+deb10u1
 	[stretch] - libsixel <no-dsa> (Minor issue)
 	[jessie] - libsixel <not-affected> (The vulnerable code is not present)
-	- libstb <unfixed> (low)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/80
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649198 (reproducer)
-	NOTE: Pontentially affects mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel
+	NOTE: CVE description is misleading, not an issue in libstb
 CVE-2018-19755 (There is an illegal address access at asm/preproc.c (function: is_mmac ...)
 	- nasm <unfixed> (unimportant; bug #915087)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392528



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/888b0cc71f33ccf334d89202d12bb29c4df340c3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/888b0cc71f33ccf334d89202d12bb29c4df340c3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200121/682a44f8/attachment.html>