Secure testing team - Sep 2006 - False positives on daily script

For some reason on my fully up to date etch system I get the following
matches in the e-mail, when I click the attached link they all say etch
isn''t vulnerable (and I can''t see anything obvious wrong with
my system).

Thanks,
Julien

(And yes, these are *JUST* the false positives, there''s at least twice
as many in Mozilla and kernel vulnerabilities alone)

CVE-2005-3624 The CCITTFaxStream::CCITTFaxStream function in...
  <http://idssi.enyo.de/tracker/CVE-2005-3624>
  - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
    libcupsys2, libkpathsea4, tetex-bin

CVE-2005-3625 Xpdf, as used in products such as gpdf, kpdf,...
  <http://idssi.enyo.de/tracker/CVE-2005-3625>
  - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
    libcupsys2, libkpathsea4, tetex-bin

CVE-2005-3626 Xpdf, as used in products such as gpdf, kpdf,...
  <http://idssi.enyo.de/tracker/CVE-2005-3626>
  - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
    libcupsys2, libkpathsea4, tetex-bin

CVE-2005-3627 Stream.cc in Xpdf, as used in products such as gpdf,...
  <http://idssi.enyo.de/tracker/CVE-2005-3627>
  - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
    libcupsys2, libkpathsea4, tetex-bin

CVE-2005-3628 Buffer overflow in the JBIG2Bitmap::JBIG2Bitmap...
  <http://idssi.enyo.de/tracker/CVE-2005-3628>
  - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
    libcupsys2, libkpathsea4, tetex-bin

CVE-2006-0301 Heap-based buffer overflow in Splash.cc in xpdf, as...
  <http://idssi.enyo.de/tracker/CVE-2006-0301>
  - kplato, karbon, kexi, kugar, kspread, kthesaurus, kword,
    koffice-data, kivio, kformula, koshell, koffice, kivio-data,
    kpresenter-data, koffice-libs, kword-data, kchart, kpresenter,
    krita-data, krita (medium urgency)

CVE-2006-0410 SQL injection vulnerability in ADOdb before 4.71,...
  <http://idssi.enyo.de/tracker/CVE-2006-0410>
  - cacti

CVE-2006-0806 Multiple cross-site scripting (XSS) vulnerabilities...
  <http://idssi.enyo.de/tracker/CVE-2006-0806>
  - cacti

CVE-2006-1244 Unspecified vulnerability in certain versions of xpdf...
  <http://idssi.enyo.de/tracker/CVE-2006-1244>
  - kplato, karbon, kexi, kugar, kspread, kthesaurus, kword,
    koffice-data, kivio, kformula, koshell, koffice, kivio-data,
    kpresenter-data, koffice-libs, kword-data, kchart, kpresenter,
    krita-data, krita

CVE-2006-3122 The supersede_lease function in memory.c in ISC DHCP...
  <http://idssi.enyo.de/tracker/CVE-2006-3122>
  - dhcp-client

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060905/83185bfa/signature.pgp

* Julien Goodwin:
> For some reason on my fully up to date etch system I get the following
> matches in the e-mail, when I click the attached link they all say etch
> isn''t vulnerable (and I can''t see anything obvious wrong
with my system).
Could you post the output of "debsecan --suite etch --format detail",
please?

* Julien Goodwin:
> CVE-2005-3624 The CCITTFaxStream::CCITTFaxStream function in...
>   <http://idssi.enyo.de/tracker/CVE-2005-3624>
>   - cupsys-common, cupsys-bsd, cupsys-client, libcupsys2-dev,
>     libcupsys2, libkpathsea4, tetex-bin
The detailed output is:

CVE-2005-3624
  The CCITTFaxStream::CCITTFaxStream function in Stream.cc for xpdf, ...
  installed: cupsys-common 1.2.2-2
             (built from cupsys 1.2.2-2)
  fixed on branch:   cupsys 0 (source package)
  fixed on branch:   cupsys 1.1.14-5woody14 (source package)
  fixed on branch:   cupsys 1.1.23-10sarge1 (source package)

The relevant data in our database is:

CVE-2005-3624 (The CCITTFaxStream::CCITTFaxStream function in Stream.cc for
xpdf, ...)
	{DSA-962-1 DSA-961-1 DSA-950-1 DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1
DSA-932-1 DSA-931-1 DTSA-28-1}
	- poppler 0.4.4-1 (bug #346076)
	- tetex <not-affected> (Links dynamically to poppler)
	- gpdf 2.10.0-2 (bug #342286)
	- kdegraphics 4:3.5.0-3
	- xpdf 3.01-4
	- koffice 1:1.4.2-6 (bug #342294)
	- libextractor 0.5.9-1
	- pdfkit.framework 0.8-4
	- pdftohtml 0.36-12

[23 Jan 2006] DSA-950-1 cupsys - buffer overflow
	{CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628}
	[woody] - cupsys 1.1.14-5woody14
	[sarge] - cupsys <not-affected> (Cups uses xpdf-utils in Sarge)
	NOTE: fixed in testing at time of DSA

Looks like we lack an entry with the fixed version for unstable.  This
would be the version when cupsys switched to xpdf-utils, I guess.  I
called such missing information "latent vulnerabilites" and collected
them there: <http://idssi.enyo.de/tracker/data/latently-vulnerable>
The rationale is that if a package is vulnerable on a release branch,
it has to be vulnerable in some version in unstable as well becauste
that''s where we branched from.

There''s another bug, the "cupsys 0" version information
shouldn''t be
sent to the client, but that''s unrelated.  (On branches, version
information needs to match exactly.)