Author: geissert
Date: 2011-01-06 00:36:10 +0000 (Thu, 06 Jan 2011)
New Revision: 15800
Modified:
data/CVE/list
Log:
track (pending review) issues reported by Silvio
add packages embedding code copies to a few CVEs
Modified: data/CVE/list
==================================================================---
data/CVE/list 2011-01-06 00:13:06 UTC (rev 15799)
+++ data/CVE/list 2011-01-06 00:36:10 UTC (rev 15800)
@@ -1,3 +1,12 @@
+CVE-2011-XXXX [Crash with long HOME environment variable]
+ - toppler <unfixed> (bug #608979)
+ TODO: check
+CVE-2011-XXXX [Crash with long HOME environment variable]
+ - lbreakout2 <unfixed> (bug #608980)
+ TODO: check
+CVE-2011-XXXX [Crash with long GGI_DISPLAY environment variable]
+ - zhcon <unfixed> (bug #608981)
+ TODO: check
CVE-2010-XXXX [syslog-ng log permissions]
- syslog-ng 3.1.3-2 (bug #608491)
[lenny] - syslog-ng <not-affected> (Freebsd-specific, which is not
supported in Lenny)
@@ -16674,10 +16683,14 @@
- linux-2.6.24 <removed> (high)
CVE-2009-3546 (The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x
before ...)
{DSA-1936-1}
+ - libwmf <unfixed>
+ - plt-scheme <unfixed>
+ - graphviz <unfixed>
- libgd2 2.0.36~rc1~dfsg-3.1 (medium; bug #552534)
- php5 <not-affected> (the php packages use the system libgd2)
NOTE: http://svn.php.net/viewvc?view=revision&revision=289557
NOTE: <20091015173822.084de220 at redhat.com> in OSS-sec
+ TODO: check
CVE-2009-3545 (DataWizard Technologies FtpXQ FTP Server 3.0 allows remote ...)
NOT-FOR-US: DataWizard Technologies FtpXQ FTP Server
CVE-2009-3544 (Xerver HTTP Server 4.32 allows remote attackers to obtain the
source ...)
@@ -48677,8 +48690,12 @@
CVE-2007-4892 (Multiple SQL injection vulnerabilities in SWSoft Plesk 7.6.1,
8.1.0, ...)
NOT-FOR-US: Plesk (Windows)
CVE-2007-XXXX [libgd2: gdImageColorTransparent can write outside buffer]
+ - libwmf <unfixed>
+ - plt-scheme <unfixed>
+ - graphviz <unfixed>
- libgd2 2.0.35.dfsg-3
[etch] - libgd2 2.0.33-5.2etch1
+ TODO: check
CVE-2007-4891 (A certain ActiveX control in PDWizard.ocx 6.0.0.9782 and earlier
in ...)
NOT-FOR-US: PDWizard
CVE-2007-4890 (Absolute directory traversal vulnerability in a certain ActiveX
...)
@@ -50823,8 +50840,12 @@
CVE-2007-3996 (Multiple integer overflows in libgd in PHP before 5.2.4 allow
remote ...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (bug #443456; medium)
+ - libwmf <unfixed>
+ - plt-scheme <unfixed>
+ - graphviz <unfixed>
NOTE: Debian''s PHP packages are linked dynamically against libgd
NOTE: see http://www.php.net/releases/5_2_4.php
+ TODO: check
CVE-2007-3995
RESERVED
CVE-2007-3994
@@ -52087,11 +52108,19 @@
CVE-2007-3477 (The (a) imagearc and (b) imagefilledarc functions in GD Graphics
...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (low)
+ - libwmf <unfixed>
+ - plt-scheme <unfixed>
+ - graphviz <unfixed>
NOTE: CPU consumption DoS
+ TODO: check
CVE-2007-3476 (Array index error in gd_gif_in.c in the GD Graphics Library
(libgd) ...)
{DSA-1613-1}
- libgd2 2.0.35.dfsg-1 (low)
+ - libwmf <unfixed>
+ - plt-scheme <unfixed>
+ - graphviz <unfixed>
NOTE: can write a 0 to a 4k window in heap, very unlikely to be controllable.
+ TODO: check
CVE-2007-3475 (The GD Graphics Library (libgd) before 2.0.35 allows
user-assisted ...)
- libgd2 <unfixed> (unimportant)
NOTE: out-of-band memory read, does not appear attacker controlled.