[Git][security-tracker-team/security-tracker][master] bookworm triage

Fri Apr 25 16:20:28 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
83b54f50 by Moritz Muehlenhoff at 2025-04-25T17:20:19+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -397,19 +397,23 @@ CVE-2025-46417 (The unsafe globals in Picklescan before 0.0.25 do not include ss
 	NOT-FOR-US: Picklescan
 CVE-2025-46400 (Segmentation fault in fig2dev in version 3.2.9a allows an attacker to  ...)
 	- fig2dev 1:3.2.9a-3
+	[bookworm] - fig2dev <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/mcj/tickets/187/
 	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/1e5515a1ea2ec8651cf85ab5000d026bb962492a/
 	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0d9af89d9738aad31c2d0873ac1fa03c96/
 CVE-2025-46399 (Segmentation fault in fig2dev in version 3.2.9aallows an attacker to a ...)
 	- fig2dev 1:3.2.9a-4
+	[bookworm] - fig2dev <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/mcj/tickets/190/
 	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b210916d0d3ca81f304535b5af0849aa93/
 CVE-2025-46398 (Stack-overflowin fig2dev in version 3.2.9a allows an attacker possible ...)
 	- fig2dev 1:3.2.9a-4
+	[bookworm] - fig2dev <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/mcj/tickets/191/
 	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/5f22009dba73922e98d49c0096cece8b215cd45b/
 CVE-2025-46397 (Stack-overflowin fig2dev in version 3.2.9a allows an attacker possible ...)
 	- fig2dev 1:3.2.9a-4
+	[bookworm] - fig2dev <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/mcj/tickets/192/
 	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
 CVE-2025-46381
@@ -464,6 +468,7 @@ CVE-2024-12244 (An issue has been discovered in access controls could allow user
 	- gitlab <not-affected> (Vulnerable code introduced later)
 CVE-2025-46394 (In tar in BusyBox through 1.37.0, a TAR archive can have filenames hid ...)
 	- busybox <unfixed> (bug #1104008)
+	[bookworm] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=16018
 	NOTE: https://www.openwall.com/lists/oss-security/2025/04/23/1
 CVE-2025-46393 (In multispectral MIFF image processing in ImageMagick before 7.1.1-44, ...)
@@ -591,6 +596,7 @@ CVE-2025-1045 (Luxion KeyShot Viewer KSP File Parsing Heap-based Buffer Overflow
 	NOT-FOR-US: Luxion
 CVE-2024-58251 (In netstat in BusyBox through 1.37.0, local users can launch of networ ...)
 	- busybox <unfixed> (bug #1104009)
+	[bookworm] - busybox <no-dsa> (Minor issue)
 	NOTE: https://bugs.busybox.net/show_bug.cgi?id=15922
 CVE-2024-47829 (pnpm is a package manager. Prior to version 10.0.0, the path shortenin ...)
 	NOT-FOR-US: pnpm
@@ -605,6 +611,7 @@ CVE-2025-XXXX [RUSTSEC-2025-0024]
 	NOTE: Fixed by: https://github.com/crossbeam-rs/crossbeam/commit/6ec74ecae896df5fc239518b45a1bfd258c9db68 (crossbeam-channel-0.5.15)
 CVE-2025-XXXX [RUSTSEC-2025-0023]
 	- rust-tokio 1.43.1-1 (bug #1103988)
+	[bookworm] - rust-tokio <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2025-0023.html
 	NOTE: https://github.com/tokio-rs/tokio/pull/7232
 CVE-2025-46224
@@ -888,6 +895,7 @@ CVE-2024-13569 (The Front End Users WordPress plugin through 3.2.32 does not san
 	NOT-FOR-US: WordPress plugin
 CVE-2024-58250 (The passprompt plugin in pppd in ppp before 2.5.2 mishandles privilege ...)
 	- ppp 2.5.2-1+1
+	[bookworm] - ppp <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/ppp-project/ppp/commit/0a66ad22e54c72690ec2a29a019767c55c5281fc (v2.5.2)
 	NOTE: Fix removes the passprompt plugin (can be replaced using passwordfd plugin, may break existing
 	NOTE: configurations)
@@ -985,15 +993,19 @@ CVE-2025-43966 (libheif before 1.19.6 has a NULL pointer dereference in ImageIte
 	NOTE: Fixed by: https://github.com/strukturag/libheif/commit/b38555387e4b5dcf036fe45b0c440aca19b7b69c (v1.19.6)
 CVE-2025-43964 (In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in  ...)
 	- libraw 0.21.4-1 (bug #1103783)
+	[bookworm] - libraw <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/a50dc3f1127d2e37a9b39f57ad9bb2ebb60f18c0 (0.21.4)
 CVE-2025-43963 (In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cp ...)
 	- libraw 0.21.4-1 (bug #1103782)
+	[bookworm] - libraw <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/be26e7639ecf8beb55f124ce780e99842de2e964 (0.21.4)
 CVE-2025-43962 (In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cp ...)
 	- libraw 0.21.4-1 (bug #1103781)
+	[bookworm] - libraw <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2 (0.21.4)
 CVE-2025-43961 (In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read i ...)
 	- libraw 0.21.4-1 (bug #1103781)
+	[bookworm] - libraw <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/66fe663e02a4dd610b4e832f5d9af326709336c2 (0.21.4)
 CVE-2025-0632 (Local File Inclusion (LFI) vulnerability in a Render function of Formu ...)
 	NOT-FOR-US: Formulatrix Rock Maker Web (RMW)
@@ -1980,6 +1992,7 @@ CVE-2025-43717 (In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests
 	NOT-FOR-US: PEAR HTTP_Request2
 CVE-2025-43715 (Nullsoft Scriptable Install System (NSIS) before 3.11 on Windows allow ...)
 	- nsis 3.11-1 (bug #1103524)
+	[bookworm] - nsis <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/nsis/bugs/1315/
 	NOTE: https://nsis.sourceforge.io/Docs/AppendixF.html#v3.11-rl
 	NOTE: Fixed by: https://sourceforge.net/p/nsis/code/7444/
@@ -3436,6 +3449,7 @@ CVE-2025-32779 (E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to co
 CVE-2025-32776 (OpenRazer is an open source driver and user-space daemon to control Ra ...)
 	{DLA-4136-1}
 	- openrazer 3.10.2+dfsg-1
+	[bookworm] - openrazer <no-dsa> (Minor issue)
 	NOTE: https://github.com/openrazer/openrazer/security/advisories/GHSA-835j-6976-46jx
 	NOTE: https://github.com/openrazer/openrazer/issues/2433
 	NOTE: Fixed by: https://github.com/openrazer/openrazer/commit/57610511d2548eda66999eaed5aa4517e89d6d39 (v3.10.2)
@@ -5406,6 +5420,7 @@ CVE-2025-31672 (Improper Input Validation vulnerability in Apache POI. The issue
 	NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=69620
 CVE-2025-31344 (Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. ...)
 	- giflib <unfixed> (bug #1102520)
+	[bookworm] - giflib <no-dsa> (Minor issue)
 	[bullseye] - giflib <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2025/04/07/3
 	NOTE: https://sourceforge.net/p/giflib/bugs/176/


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ frr
 gh
   Santiago Vila might work on preparing an update
 --
+gimp
+--
 jpeg-xl
 --
 libreswan
@@ -67,5 +69,7 @@ vips
 --
 wordpress
 --
+yelp
+--
 zabbix
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83b54f5000b0c95d313280c5932274202a5a3ead

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83b54f5000b0c95d313280c5932274202a5a3ead
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250425/2f5405f7/attachment-0001.htm>
