[Git][security-tracker-team/security-tracker][master] Update fig2dev CVEs which got re-assigned by RedHat CNA

Thu May 15 21:30:36 BST 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c7302ddf by Salvatore Bonaccorso at 2025-05-15T22:29:47+02:00
Update fig2dev CVEs which got re-assigned by RedHat CNA

Initially the assigned CVEs got rejected, in consequence we dropped the
CVEs in e37ab262193e ("Remove CVEs which initially were assigned for
fig2dev issues").

The were re-assigned for the same CVEs so restore our tracking mostly
but demote the issues to unimportant.

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7012,18 +7012,27 @@ CVE-2025-46419 (Westermo WeOS 5 through 5.23.0 allows a reboot via a malformed E
 CVE-2025-46417 (The unsafe globals in Picklescan before 0.0.25 do not include ssl. Con ...)
 	NOT-FOR-US: Picklescan
 CVE-2025-46400 (In xfig diagramming tool, a segmentation fault while running fig2dev a ...)
-	- xfig <unfixed> (unimportant)
+	- fig2dev 1:3.2.9a-3 (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2362054
 	NOTE: https://sourceforge.net/p/mcj/tickets/187/
 	NOTE: Error covered with: https://sourceforge.net/p/mcj/fig2dev/ci/1e5515a1ea2ec8651cf85ab5000d026bb962492a/
 	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/c4465e0d9af89d9738aad31c2d0873ac1fa03c96/
 	NOTE: Crash in CLI tool, no security impact
 CVE-2025-46399 (In xfig diagramming tool, a segmentation fault in fig2dev allows memor ...)
-	TODO: check
+	- fig2dev 1:3.2.9a-4 (unimportant)
+	NOTE: https://sourceforge.net/p/mcj/tickets/190/
+	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/2bd6c0b210916d0d3ca81f304535b5af0849aa93/
+	NOTE: Crash in CLI tool, no security impact
 CVE-2025-46398 (In xfig diagramming tool, a stack-overflow while running fig2dev allow ...)
-	TODO: check
+	- fig2dev 1:3.2.9a-4 (unimportant)
+	NOTE: https://sourceforge.net/p/mcj/tickets/191/
+	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/5f22009dba73922e98d49c0096cece8b215cd45b/
+	NOTE: Crash in CLI tool, no security impact
 CVE-2025-46397 (In xfig diagramming tool, a stack-overflowwhile running fig2dev allows ...)
-	TODO: check
+	- fig2dev 1:3.2.9a-4 (unimportant)
+	NOTE: https://sourceforge.net/p/mcj/tickets/192/
+	NOTE: Fixed by: https://sourceforge.net/p/mcj/fig2dev/ci/dfa8b661b506a463a669754ed635b0a8eb67580e/
+	NOTE: Crash in CLI tool, no security impact
 CVE-2025-46381
 	REJECTED
 CVE-2025-46380


=====================================
data/DLA/list
=====================================
@@ -56,6 +56,7 @@
 	{CVE-2025-29769}
 	[bullseye] - vips 8.10.5-2+deb11u1
 [30 Apr 2025] DLA-4147-1 fig2dev - security update
+	{CVE-2025-46397 CVE-2025-46398 CVE-2025-46399 CVE-2025-46400}
 	[bullseye] - fig2dev 1:3.2.8-3+deb11u3
 [30 Apr 2025] DLA-4146-1 libxml2 - security update
 	{CVE-2025-32414 CVE-2025-32415}


=====================================
data/next-point-update.txt
=====================================
@@ -234,3 +234,11 @@ CVE-2025-27773
 	[bookworm] - simplesamlphp 1.19.7-1+deb12u2
 CVE-2025-46712
 	[bookworm] - erlang 1:25.2.3+dfsg-1+deb12u2
+CVE-2025-46397
+	[bookworm] - fig2dev 1:3.2.8b-3+deb12u2
+CVE-2025-46398
+	[bookworm] - fig2dev 1:3.2.8b-3+deb12u2
+CVE-2025-46399
+	[bookworm] - fig2dev 1:3.2.8b-3+deb12u2
+CVE-2025-46400
+	[bookworm] - fig2dev 1:3.2.8b-3+deb12u2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7302ddf264401a63ade31814877256fe6a21861

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7302ddf264401a63ade31814877256fe6a21861
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250515/fbb9293d/attachment-0001.htm>
