[Secure-testing-team] [Secure-testing-commits] r12708 - data/CVE

Nico Golde debian-secure-testing+ml at ngolde.de
Mon Aug 31 01:09:02 UTC 2009 

Hi,
* Michael S Gilbert <michael.s.gilbert at gmail.com> [2009-08-31 02:29]:
> On Mon, 31 Aug 2009 00:23:00 +0200 Nico Golde wrote:
> 
> > * Michael Gilbert <gilbert-guest at alioth.debian.org> [2009-08-30 19:06]:
> > > Author: gilbert-guest
> > > Date: 2009-08-30 17:09:16 +0000 (Sun, 30 Aug 2009)
> > > New Revision: 12708
> > > 
> > > Modified:
> > >    data/CVE/list
> > > Log:
> > > beginning of embedded code copies triage (5 down 395 to go)
> > > 
> > > Modified: data/CVE/list
> > > ===================================================================
> > > --- data/CVE/list	2009-08-30 03:00:07 UTC (rev 12707)
> > > +++ data/CVE/list	2009-08-30 17:09:16 UTC (rev 12708)
> > > @@ -1286,6 +1286,7 @@
> > >  CVE-2009-2660 (Multiple integer overflows in CamlImages 2.2 might allow ...)
> > >  	{DSA-1857-1}
> > >  	- camlimages 1:3.0.1-3 (medium; bug #540146)
> > > +	- advi <not-affected> (affected code section not present in advi code copy of camlimages)
> > >  CVE-2009-2657 (nilfs-utils before 2.0.14 installs multiple programs with unnecessary ...)
> > >  	- nilfs2-tools <not-affected> (dh_fixperms removes the setuid and setgid bits from all files)
> > >  CVE-2009-2656 (Unspecified vulnerability in the com.android.phone process in Android ...)
> > > @@ -1303,6 +1304,8 @@
> > >  CVE-2009-XXXX [VLC: integer underflow in Real RTSP]
> > >  	- vlc 1.0.1-1
> > >  	- mplayer <unfixed>
> > > +	- xine-lib <unfixed>
> > > +        NOTE: affected mplayer code copy present in xine-lib
> > 
> > Did you only check if the code is present or also if it's 
> > used?
> 
> yes, i only checked that the embedded code is present.  after further
> review of the full disclosure posting, it is clear that xine-lib is not
> affected because it has additional an additional check.

I wasn't talking about this issue in specific, just noticed 
it in this commit. If you didn't do that yet please do so to 
avoid lots of false-positives and someone needs to do the 
work anyway.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090831/db5f00a0/attachment.pgp>

More information about the Secure-testing-team mailing list