Date: Mon, 5 Oct 2020 17:25:55 +0000 (UTC) From: Sunpoet Po-Chuan Hsieh <sunpoet@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r551528 - head/security/vuxml Message-ID: <202010051725.095HPtHm067346@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: sunpoet Date: Mon Oct 5 17:25:55 2020 New Revision: 551528 URL: https://svnweb.freebsd.org/changeset/ports/551528 Log: Document libexif vulnerability Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Oct 5 17:25:33 2020 (r551527) +++ head/security/vuxml/vuln.xml Mon Oct 5 17:25:55 2020 (r551528) @@ -58,6 +58,49 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="cff0b2e2-0716-11eb-9e5d-08002728f74c"> + <topic>libexif -- multiple vulnerabilities</topic> + <affects> + <package> + <name>libexif</name> + <range><lt>0.6.22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Release notes:</p> + <blockquote cite="https://github.com/libexif/libexif/blob/master/NEWS"> + <p>Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others:</p> + <p>CVE-2016-6328: fixed integer overflow when parsing maker notes</p> + <p>CVE-2017-7544: fixed buffer overread</p> + <p>CVE-2018-20030: Fix for recursion DoS</p> + <p>CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs</p> + <p>CVE-2020-0093: read overflow</p> + <p>CVE-2020-12767: fixed division by zero </p> + <p>CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes</p> + <p>CVE-2020-13113: Potential use of uninitialized memory </p> + <p>CVE-2020-13114: Time consumption DoS when parsing canon array markers</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/libexif/libexif/blob/master/NEWS</url> + <url>CVE-2016-6328</url> + <url>CVE-2017-7544</url> + <url>CVE-2018-20030</url> + <url>CVE-2019-9278</url> + <url>CVE-2020-0093</url> + <url>CVE-2020-12767</url> + <url>CVE-2020-13112</url> + <url>CVE-2020-13113</url> + <url>CVE-2020-13114</url> + </references> + <dates> + <discovery>2020-05-18</discovery> + <entry>2020-10-05</entry> + </dates> + </vuln> + <vuln vid="c71ed065-0600-11eb-8758-e0d55e2a8bf9"> <topic>kdeconnect -- packet manipulation can be exploited in a Denial of Service attack</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010051725.095HPtHm067346>