Re: CVE requests: Poppler, Quassel, Pyfribidi, Overkill, DocUtils, FireGPG, Wireshark

[Josh Bressers <bressers () redhat com>]

Steve,

There are a few requests for MITRE below (2008 and 2009 IDs needed).

----- "Moritz Muehlenhoff" <jmm () debian org> wrote:
> Hi,
> here's a few more CVE requests for issues in the Debian Security Tracker
> without a CVE ID assigned:
>
> 1. Poppler (might also affect xpdf and kpdf due to code heritage, not
> determined yet)
> http://secunia.com/advisories/41596/
> -> Links to poppler git commits are given in the Secunia link

This needs to be properly understood. I'm not assigning IDs until someone
does a proper triage.

> 2. Quassel
> http://quassel-irc.org/node/115

I presume this is a DoS (the details are pretty slim)
CVE-2010-3443

> 3. Pyfribidi
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570068

This looks to be a buffer overflow.
CVE-2010-3444

> 4. Overkill (this should be a CVE-2009 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549310

I'm out of 2009 IDs. Can MITRE take this one.

> 5. Emacs mode for reStructuredText (from DocUtils) (this should be a
> CVE-2009 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560755

I'm out of 2009 IDs. Can MITRE take this one.

> 6. FireGPG (this should be a CVE-2008 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386
> http://securityvulns.com/Udocument757.html

I have no 2008 IDs. This one will have to wait for MITRE.

> 7. Wireshark BER dissector
> http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html

This one looks like a stack overflow, the advisory isn't very clear, but
claims there are two possible outcomes. We can always split later if
needed.
CVE-2010-3445

Thanks

-- 
    JB