[Git][security-tracker-team/security-tracker][master] issue DLA-3214-1 for libraw

Wed Nov 30 20:57:41 GMT 2022


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
245c2a39 by Helmut Grohne at 2022-11-30T21:56:35+01:00
issue DLA-3214-1 for libraw

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -163032,7 +163032,7 @@ CVE-2020-24890 (** DISPUTED ** libraw 20.0 has a null pointer dereference vulner
 	NOTE: https://github.com/LibRaw/LibRaw/issues/335#issuecomment-677637276
 CVE-2020-24889 (A buffer overflow vulnerability in LibRaw version < 20.0 LibRaw::Ge ...)
 	- libraw 0.20.2-1
-	[buster] - libraw <no-dsa> (Minor issue)
+	[buster] - libraw <not-affected> (Hassleblad data parser added in 0.20)
 	[stretch] - libraw <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/LibRaw/LibRaw/issues/334
 	NOTE: https://github.com/LibRaw/LibRaw/commit/78d323ecbe6a9752aee6e97118a76d40704d73ee
@@ -183716,7 +183716,6 @@ CVE-2020-15504 (A SQL injection vulnerability in the user and admin web interfac
 CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...)
 	[experimental] - libraw 0.20.0-1
 	- libraw 0.20.0-4 (bug #964747)
-	[buster] - libraw <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477
 	NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
 CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android,  ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Nov 2022] DLA-3214-1 libraw - security update
+	{CVE-2020-15503}
+	[buster] - libraw 0.19.2-2+deb10u2
 [29 Nov 2022] DLA-3213-1 krb5 - security update
 	{CVE-2022-42898}
 	[buster] - krb5 1.17-3+deb10u5


=====================================
data/dla-needed.txt
=====================================
@@ -121,10 +121,6 @@ libpgjava
   NOTE: 20221128: Please check, whether CVE-2022-41946 affects modern systems (gladk).
   NOTE: 20221128: If not - please mark it as <ignored> (gladk).
 --
-libraw
-  NOTE: 20221129: Programming language: C++.
-  NOTE: 20221129: VCS: https://salsa.debian.org/lts-team/packages/libraw.git
---
 libreoffice
   NOTE: 20221012: Programming language: C++.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/245c2a3955a3dafe6de3d55f4c41da07cff276c1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/245c2a3955a3dafe6de3d55f4c41da07cff276c1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221130/d07493ba/attachment-0001.htm>
