Date: Wed, 12 Feb 2020 00:19:38 +0000 (UTC) From: "Danilo G. Baio" <dbaio@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r525894 - head/security/vuxml Message-ID: <202002120019.01C0JcPP089374@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dbaio Date: Wed Feb 12 00:19:38 2020 New Revision: 525894 URL: https://svnweb.freebsd.org/changeset/ports/525894 Log: security/vuxml: Document graphics/libexif issue PR: 244060 Reported by: tj@mrsk.me (email) Security: CVE-2019-9278 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Feb 11 23:52:14 2020 (r525893) +++ head/security/vuxml/vuln.xml Wed Feb 12 00:19:38 2020 (r525894) @@ -58,6 +58,38 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="00f30cba-4d23-11ea-86ba-641c67a117d8"> + <topic>libexif -- privilege escalation</topic> + <affects> + <package> + <name>libexif</name> + <range><lt>0.6.21_5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Mitre reports:</p> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278"> + <p>In libexif, there is a possible out of bounds write due to an integer overflow. + This could lead to remote escalation of privilege in the media content provider + with no additional execution privileges needed. User interaction is needed for + exploitation.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2019-9278</cvename> + <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9278</url> + <url>https://security-tracker.debian.org/tracker/CVE-2019-9278</url> + <url>https://seclists.org/bugtraq/2020/Feb/9</url> + <url>https://github.com/libexif/libexif/issues/26</url> + </references> + <dates> + <discovery>2019-02-06</discovery> + <entry>2020-02-11</entry> + </dates> + </vuln> + <vuln vid="d460b640-4cdf-11ea-a59e-6451062f0f7a"> <topic>Flash Player -- arbitrary code execution</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002120019.01C0JcPP089374>