[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2021-35942 in glibc for stretch LTS.

Chris Lamb (@lamby) lamby at debian.org
Mon Jul 5 09:43:46 BST 2021 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6f86e50f by Chris Lamb at 2021-07-05T09:36:01+01:00
Triage CVE-2021-35942 in glibc for stretch LTS.

- - - - -
8d99b99f by Chris Lamb at 2021-07-05T09:37:44+01:00
Triage CVE-2021-3631 in libvirt for stretch LTS.

- - - - -
cd34afbd by Chris Lamb at 2021-07-05T09:39:15+01:00
Triage CVE-2021-36081 in tesseract for stretch LTS.

- - - - -
d26d1e4a by Chris Lamb at 2021-07-05T09:40:27+01:00
Triage CVE-2018-25017 in darktable for stretch LTS.

- - - - -
d9e14ec8 by Chris Lamb at 2021-07-05T09:41:14+01:00
Triage CVE-2017-20006 in unrar-nonfree for stretch LTS.

- - - - -
64b3e38d by Chris Lamb at 2021-07-05T09:43:19+01:00
Triage CVE-2021-36083 in kimageformats for stretch LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -179,6 +179,7 @@ CVE-2021-36083 (KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer
 	[experimental] - kimageformats 5.83.0-1
 	- kimageformats 5.78.0-5 (bug #990527)
 	[buster] - kimageformats <no-dsa> (Minor issue)
+	[stretch] - kimageformats <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
 	NOTE: https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f
@@ -190,6 +191,7 @@ CVE-2021-36082 (ntop nDPI 3.4 has a stack-based buffer overflow in processClient
 CVE-2021-36081 (Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-fr ...)
 	- tesseract <unfixed> (bug #990529)
 	[buster] - tesseract <no-dsa> (Minor issue)
+	[stretch] - tesseract <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29698
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/tesseract-ocr/OSV-2021-211.yaml
 	NOTE: https://github.com/tesseract-ocr/tesseract/commit/e6f15621c2ab2ecbfabf656942d8ef66f03b2d55
@@ -244,6 +246,7 @@ CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml
 CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...)
 	- darktable 2.6.0-1
+	[stretch] - darktable <not-affected> (Vulnerable code added later)
 	- photoflow <not-affected> (Fixed before initial upload to the archive)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5256
 	NOTE: https://github.com/darktable-org/rawspeed/commit/dbe7591e54bad5e6430d38be6bed051582da76b9
@@ -251,6 +254,7 @@ CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow
 	NOTE: darktable 2.6.0 is the first release to bundle rawspeed 3.2 with the fixes
 CVE-2017-20006 (UnRAR 5.6.1.2 and 5.6.1.3 has a heap-based buffer overflow in Unpack:: ...)
 	- unrar-nonfree 1:5.6.6-1
+	[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4373
 	NOTE: https://github.com/aawc/unrar/commit/0ff832d31470471803b175cfff4e40c1b08ee779
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2017-104.yaml
@@ -259,6 +263,7 @@ CVE-2021-3631 [insecure sVirt label generation]
 	- libvirt <unfixed>
 	[bullseye] - libvirt <no-dsa> (Minor issue)
 	[buster] - libvirt <no-dsa> (Minor issue)
+	[stretch] - libvirt <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libvirt/libvirt/-/issues/153
 	NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2 (v7.5.0)
 CVE-2021-36079
@@ -540,6 +545,7 @@ CVE-2021-35942 [Wild read in wordexp (parse_param)]
 	- glibc <unfixed> (bug #990542)
 	[bullseye] - glibc <no-dsa> (Minor issue)
 	[buster] - glibc <no-dsa> (Minor issue)
+	[stretch] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011
 	NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c
 CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book Live Du ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a1313543c56b0955faba7ecb29e64d3be2881520...64b3e38d28cd92262c58831ed6a692f74d1fd807

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a1313543c56b0955faba7ecb29e64d3be2881520...64b3e38d28cd92262c58831ed6a692f74d1fd807
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210705/1bd839f3/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list