[Git][security-tracker-team/security-tracker][master] triage leptonlib

Tue Jan 10 11:00:26 GMT 2023


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
accb17ef by Helmut Grohne at 2023-01-10T11:59:40+01:00
triage leptonlib

 * Remove a bunch of annotations that will end up conflicting with the
   ELTS tracker.
 * Note patch for CVE-2018-7442 and explain that it changes behaviour.
 * Note that CVE-2018-7441 is not neutralized, remove unimportant, list
   patches.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -325949,8 +325949,6 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in sched
 CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a % ...)
 	{DLA-1302-1}
 	- leptonlib 1.75.3-2 (low; bug #890548)
-	[stretch] - leptonlib <no-dsa> (Minor issue)
-	[jessie] - leptonlib <no-dsa> (Minor issue)
 	NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
 CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! v ...)
 	NOT-FOR-US: Saxum Astro component for Joomla!
@@ -335436,17 +335434,19 @@ CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519
 CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutp ...)
 	- leptonlib 1.76.0-1 (bug #898439)
-	[stretch] - leptonlib <no-dsa> (Minor issue)
-	[jessie] - leptonlib <no-dsa> (Minor issue)
 	[wheezy] - leptonlib <ignored> (Minor issue)
 	NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html
+	NOTE: https://github.com/DanBloomberg/leptonica/commit/24cca39cbeafd7943fb6ec723c9c1f525c24eb9f
+	NOTE: The patch deactivates debugging functions by default and thus changes behaviour.
 CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might al ...)
-	- leptonlib 1.76.0-1 (unimportant)
+	- leptonlib 1.76.0-1
 	NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html
-	NOTE: Neutralised by kernel hardening
+	NOTE: Not neutralised by kernel hardening, because subdirectories of /tmp are not hardened
+	NOTE: https://github.com/DanBloomberg/leptonica/commit/dcaf546c748aaf13fd14289677037e83d749455f
+	NOTE: The patch requires CVE-2018-7442 patch as underlying infrastructure.
+	NOTE: The patch deactivates debugging functions by default and thus changes behaviour.
 CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicate ...)
 	- leptonlib 1.74.4-2 (low; bug #885704)
-	[stretch] - leptonlib <no-dsa> (Minor issue)
 	[jessie] - leptonlib <not-affected> (Vulnerable code not present)
 	[wheezy] - leptonlib <not-affected> (Vulnerable code not present)
 CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The gplotMakeOutp ...)
@@ -335459,8 +335459,6 @@ CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The gplotMak
 CVE-2018-3836 (An exploitable command injection vulnerability exists in the gplotMake ...)
 	{DLA-1284-1}
 	- leptonlib 1.75.3-1 (bug #889759)
-	[stretch] - leptonlib <no-dsa> (Minor issue)
-	[jessie] - leptonlib <no-dsa> (Minor issue)
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
 	NOTE: https://github.com/DanBloomberg/leptonica/issues/303
 	NOTE: When fixing this issue make sure the fix is complete and includes as well



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/accb17ef45236f07536a694b7f1c6762b87d4b0f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230110/a5553425/attachment.htm>
