[Secure-testing-team] False positives on daily script
Florian Weimer
fw at deneb.enyo.de
Thu Sep 7 19:38:00 UTC 2006
* Julien Goodwin:
> CVE-2005-3624 The CCITTFaxStream::CCITTFaxStream function in...
> <http://idssi.enyo.de/tracker/CVE-2005-3624>
> - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
> libcupsys2, libkpathsea4, tetex-bin
The detailed output is:
CVE-2005-3624
The CCITTFaxStream::CCITTFaxStream function in Stream.cc for xpdf, ...
installed: cupsys-common 1.2.2-2
(built from cupsys 1.2.2-2)
fixed on branch: cupsys 0 (source package)
fixed on branch: cupsys 1.1.14-5woody14 (source package)
fixed on branch: cupsys 1.1.23-10sarge1 (source package)
The relevant data in our database is:
CVE-2005-3624 (The CCITTFaxStream::CCITTFaxStream function in Stream.cc for xpdf, ...)
{DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1 DTSA-28-1}
- poppler 0.4.4-1 (bug #346076)
- tetex <not-affected> (Links dynamically to poppler)
- gpdf 2.10.0-2 (bug #342286)
- kdegraphics 4:3.5.0-3
- xpdf 3.01-4
- koffice 1:1.4.2-6 (bug #342294)
- libextractor 0.5.9-1
- pdfkit.framework 0.8-4
- pdftohtml 0.36-12
[23 Jan 2006] DSA-950-1 cupsys - buffer overflow
{CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628}
[woody] - cupsys 1.1.14-5woody14
[sarge] - cupsys <not-affected> (Cups uses xpdf-utils in Sarge)
NOTE: fixed in testing at time of DSA
Looks like we lack an entry with the fixed version for unstable. This
would be the version when cupsys switched to xpdf-utils, I guess. I
called such missing information "latent vulnerabilites" and collected
them there: <http://idssi.enyo.de/tracker/data/latently-vulnerable>
The rationale is that if a package is vulnerable on a release branch,
it has to be vulnerable in some version in unstable as well becauste
that's where we branched from.
There's another bug, the "cupsys 0" version information shouldn't be
sent to the client, but that's unrelated. (On branches, version
information needs to match exactly.)
More information about the Secure-testing-team
mailing list