Author: jrdioko-guest Date: 2011-07-29 19:19:08 +0000 (Fri, 29 Jul 2011) New Revision: 17045 Modified: data/CVE/list Log: Issue research Affected files not found in a search, but not 100% sure how to handle these, so left NOTEs. Modified: data/CVE/list ==================================================================--- data/CVE/list 2011-07-29 17:40:37 UTC (rev 17044) +++ data/CVE/list 2011-07-29 19:19:08 UTC (rev 17045) @@ -5379,8 +5379,10 @@ TODO: check CVE-2011-0990 (Race condition in the FastCopy optimization in the Array.Copy method ...) TODO: check + NOTE: There is no file icall.c in the Debian archive. CVE-2011-0989 (The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, ...) TODO: check + NOTE: There is no file icall.c in the Debian archive. CVE-2011-0988 (pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and ...) TODO: check CVE-2010-4733 (WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway ...) @@ -7404,6 +7406,7 @@ RESERVED CVE-2010-4665 (Integer overflow in the ReadDirectory function in tiffdump.c in ...) TODO: check + NOTE: No file named tiffdump.c exists in the Debian archive. CVE-2010-4664 RESERVED CVE-2010-4663 (Unspecified vulnerability in the News module in CMS Made Simple ...) @@ -8643,6 +8646,7 @@ [lenny] - openjdk-6 <no-dsa> (bug #614151) CVE-2011-0024 (Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 ...) TODO: check + NOTE: No file named pcapng.c exists in the Debian archive. CVE-2011-0023 RESERVED CVE-2011-0022 (The setup scripts in 389 Directory Server 1.2.x (aka Red Hat Directory ...)
On Fri, Jul 29, 2011 at 07:19:08PM +0000, Johnathan Ritzi wrote:> Author: jrdioko-guest > Date: 2011-07-29 19:19:08 +0000 (Fri, 29 Jul 2011) > New Revision: 17045 > > Modified: > data/CVE/list > Log: > Issue research > > Affected files not found in a search, but not 100% sure how to > handle these, so left NOTEs. > > > Modified: data/CVE/list > ==================================================================> --- data/CVE/list 2011-07-29 17:40:37 UTC (rev 17044) > +++ data/CVE/list 2011-07-29 19:19:08 UTC (rev 17045) > @@ -5379,8 +5379,10 @@ > TODO: check > CVE-2011-0990 (Race condition in the FastCopy optimization in the Array.Copy method ...) > TODO: check > + NOTE: There is no file icall.c in the Debian archive. > CVE-2011-0989 (The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, ...) > TODO: check > + NOTE: There is no file icall.c in the Debian archive. > CVE-2011-0988 (pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and ...) > TODO: check > CVE-2010-4733 (WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway ...) > @@ -7404,6 +7406,7 @@ > RESERVED > CVE-2010-4665 (Integer overflow in the ReadDirectory function in tiffdump.c in ...) > TODO: check > + NOTE: No file named tiffdump.c exists in the Debian archive. > CVE-2010-4664 > RESERVED > CVE-2010-4663 (Unspecified vulnerability in the News module in CMS Made Simple ...) > @@ -8643,6 +8646,7 @@ > [lenny] - openjdk-6 <no-dsa> (bug #614151) > CVE-2011-0024 (Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 ...) > TODO: check > + NOTE: No file named pcapng.c exists in the Debian archive.It does: jmm at pisco:~/scratch/wireshark-1.6.1$ find . -name pcapng.c ./wiretap/pcapng.c How did you do your searches? packages.debian.org only covers the binary packages, but not the source code. Cheers, Moritz
That''s exactly what I was doing, I thought I was going to get away without building a sid system (or at least a chroot), but I guess I was wrong :) So it looks like the package description search finds binary or source packages, while the package contents only searches binary ones. I''ll go look again and figure out how all this works. -Johnathan 2011/7/29 Moritz M?hlenhoff <jmm at inutil.org>> On Fri, Jul 29, 2011 at 07:19:08PM +0000, Johnathan Ritzi wrote: > > Author: jrdioko-guest > > Date: 2011-07-29 19:19:08 +0000 (Fri, 29 Jul 2011) > > New Revision: 17045 > > > > Modified: > > data/CVE/list > > Log: > > Issue research > > > > Affected files not found in a search, but not 100% sure how to > > handle these, so left NOTEs. > > > > > > Modified: data/CVE/list > > ==================================================================> > --- data/CVE/list 2011-07-29 17:40:37 UTC (rev 17044) > > +++ data/CVE/list 2011-07-29 19:19:08 UTC (rev 17045) > > @@ -5379,8 +5379,10 @@ > > TODO: check > > CVE-2011-0990 (Race condition in the FastCopy optimization in the > Array.Copy method ...) > > TODO: check > > + NOTE: There is no file icall.c in the Debian archive. > > CVE-2011-0989 (The RuntimeHelpers.InitializeArray method in > metadata/icall.c in Mono, ...) > > TODO: check > > + NOTE: There is no file icall.c in the Debian archive. > > CVE-2011-0988 (pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server > 10 SP3 and ...) > > TODO: check > > CVE-2010-4733 (WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU > - TCP Gateway ...) > > @@ -7404,6 +7406,7 @@ > > RESERVED > > CVE-2010-4665 (Integer overflow in the ReadDirectory function in > tiffdump.c in ...) > > TODO: check > > + NOTE: No file named tiffdump.c exists in the Debian archive. > > CVE-2010-4664 > > RESERVED > > CVE-2010-4663 (Unspecified vulnerability in the News module in CMS Made > Simple ...) > > @@ -8643,6 +8646,7 @@ > > [lenny] - openjdk-6 <no-dsa> (bug #614151) > > CVE-2011-0024 (Heap-based buffer overflow in wiretap/pcapng.c in > Wireshark before 1.2 ...) > > TODO: check > > + NOTE: No file named pcapng.c exists in the Debian archive. > > It does: > > jmm at pisco:~/scratch/wireshark-1.6.1$ find . -name pcapng.c > ./wiretap/pcapng.c > > How did you do your searches? packages.debian.org only covers the binary > packages, > but not the source code. > > Cheers, > Moritz >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20110729/740589c8/attachment.html>
On Fri, Jul 29, 2011 at 03:17:53PM -0700, Johnathan Ritzi wrote:> That''s exactly what I was doing, I thought I was going to get away without > building a sid system (or at least a chroot), but I guess I was wrong :) > > So it looks like the package description search finds binary or source > packages, while the package contents only searches binary ones. I''ll go look > again and figure out how all this works.Searching for the package name in the description should work out as well: CVE-2011-0024 mentions Wireshark, CVE-2010-4665 mentions libtiff, etc. Cheers, Moritz
Finding the main product name seems fairly straightforward, but it seems like it would be good to search for a mentioned file as well to make sure you have the right package, see if the filename shows up in another package, etc. I''ll give setting up a sid chroot another shot. Thanks, Johnathan 2011/7/30 Moritz M?hlenhoff <jmm at inutil.org>> On Fri, Jul 29, 2011 at 03:17:53PM -0700, Johnathan Ritzi wrote: > > That''s exactly what I was doing, I thought I was going to get away > without > > building a sid system (or at least a chroot), but I guess I was wrong :) > > > > So it looks like the package description search finds binary or source > > packages, while the package contents only searches binary ones. I''ll go > look > > again and figure out how all this works. > > Searching for the package name in the description should work out as well: > CVE-2011-0024 mentions Wireshark, CVE-2010-4665 mentions libtiff, etc. > > Cheers, > Moritz >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20110730/6d0f3241/attachment.html>