[Git][security-tracker-team/security-tracker][master] CVE-2020-16116: upstream code base has changed a lot with

Fri Nov 6 05:01:54 GMT 2020


Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4e6df42b by Abhijith PA at 2020-11-06T10:24:35+05:30
CVE-2020-16116: upstream code base has changed a lot with
internships such as GSoC. Backported patch only working
for GUI not for CLI (ark --batch). Marking it as no-dsa

CVE-2020-24654: stretch version is vulnerable even after applying
upstream patch. Code base changed a lot and hard to backport.
Marking as no-dsa as well

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8420,6 +8420,7 @@ CVE-2020-24655 (A race condition in the Twilio Authy 2-Factor Authentication app
 CVE-2020-24654 (In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can ins ...)
 	{DSA-4759-1}
 	- ark 4:20.08.1-1 (bug #969437)
+	[stretch] - ark <no-dsa> (Vulnerable even after upstream patch)
 	NOTE: https://github.com/KDE/ark/commit/8bf8c5ef07b0ac5e914d752681e470dea403a5bd
 	NOTE: https://kde.org/info/security/advisory-20200827-1.txt
 CVE-2020-24653 (secure-store in Expo through 2.16.1 on iOS provides the insecure kSecA ...)
@@ -25809,6 +25810,7 @@ CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious serve
 CVE-2020-16116 (In kerfuffle/jobs.cpp in KDE Ark before 20.08.0, a crafted archive can ...)
 	{DSA-4738-1}
 	- ark 4:20.04.3-1
+	[stretch] - ark <no-dsa> (Intrusive to backport, partial patch for GUI https://people.debian.org/~abhijith/upload/backport_to_1608.patch)
 	NOTE: https://kde.org/info/security/advisory-20200730-1.txt
 	NOTE: https://invent.kde.org/utilities/ark/-/commit/0df592524fed305d6fbe74ddf8a196bc9ffdb92f
 CVE-2020-16115


=====================================
data/dla-needed.txt
=====================================
@@ -21,13 +21,6 @@ ansible
   NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983
   NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794
 --
-ark
-  NOTE: 20200731: given PoC not working as intended. (abhijith)
-  NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith)
-  NOTE: 20200820: pinged upstream for help (abhijith)
-  NOTE: 20200907: patch https://people.debian.org/~abhijith/upload/backport_to_1608.patch crashes (abhijith)
-  NOTE: 20200921: CLI works but GUI not, It seems the fix is not compatible with the old architecture (abhijith)
---
 brotli (Roberto C. Sánchez)
   NOTE: 20201025: Requested patch review on debian-lts at l.d.o (roberto)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e6df42b032f192445aeb2f8c5808481f75a785c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e6df42b032f192445aeb2f8c5808481f75a785c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201106/a7bebb12/attachment.html>
