--- Begin Message ---
Package: qa.debian.org
Severity: important
Hi,
let's look at http://packages.qa.debian.org/o/openoffice.org.html. We see
at the top: "There are 5 open security issues, please fix them. "
Let's look what they are:
CVE-2009-0200 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and ...
fixed in both etch-security and lenny-security (etch-backports is not relevant
anymore) and just waits to be in a point release.
Why is this listed as still needing to be fixed?
CVE-2009-0201 Heap-based buffer overflow in OpenOffice.org (OOo) before 3.1.1 and ...
fixed in both etch-security and lenny-security (etch-backports is not relevant
anymore) and just waits to be in a point release.
Why is this listed as still needing to be fixed?
CVE-2009-2139 Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx ...
CVE-2009-2140 Multiple heap-based buffer overflows in ...
CVE-2009-3239 Buffer overflow in the EMF parser implementation in OpenOffice.org ...
fixed, but security-tracker buggy....
CVE-2009-3569 Stack-based buffer overflow in OpenOffice.org (OOo) allows remote ...
CVE-2009-3570 Unspecified vulnerability in OpenOffice.org (OOo) has unspecified ...
CVE-2009-3571 Unspecified vulnerability in OpenOffice.org (OOo) has unknown impact ...
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix
there (yet).
At least the first too should not be shown!
Grüße/Regards,
Rene
--- End Message ---
--- Begin Message ---
- To: 552124-done@bugs.debian.org
- Subject: Re: Bug#552124: qa.debian.org: bogusly warns about security issues when fixed
- From: Raphael Geissert <geissert@debian.org>
- Date: Sat, 24 Oct 2009 13:15:01 -0500
- Message-id: <4ae34404.c701be0a.584c.3883@mx.google.com>
- References: <20091023143539.GA19132__28750.2275583849$1256310172$gmane$org@rene-engelhard.de>
Hi Rene,
Whenever you encounter discrepancies in the tracker (in the case data
generated by the tracker) please address them via the proper channel (which
is not via the qa resources).
You can reach the appropriate people via IRC and/or the ML, please take a
look at http://security-tracker.debian.org/tracker/data/report
(that's right, the tracker is not only on hands of the stable sec team)
Thanks!
Rene Engelhard wrote:
[...]
> Let's look what they are:
>
> CVE-2009-0200 Integer underflow in OpenOffice.org (OOo) before 3.1.1 and
> CVE-2009-0201 Heap-based buffer overflow in OpenOffice.org (OOo) before
> 3.1.1 and ...
>
> fixed in both etch-security and lenny-security (etch-backports is not
> relevant anymore) and just waits to be in a point release.
> Why is this listed as still needing to be fixed?
Because etch-backports is still marked as unfixed, but note that these are
not being counted on the number displayed by the PTS.
>
> CVE-2009-2139 Heap-based buffer overflow in
> svtools/source/filter.vcl/wmf/enhwmf.cxx ...
> CVE-2009-2140 Multiple heap-based buffer overflows in ...
As per IRC discussion, marking 2140 as not affecting the package, and 2139
is just like the others above.
> CVE-2009-3239 Buffer overflow in the EMF parser implementation in
> OpenOffice.org ...
This seems to be a duplicate, reported to mitre.
-2140 and -3239 were still marked as to be checked. We have recently
discussed and agreed that in order to process the data faster we would
start marking CVE ids as affecting the packages we know they _may_ affect,
when there's not enough time to fully investigate the issue. The idea is
that other people, the maintainer included, helps out. So, in this case it
worked, thanks.
>
> CVE-2009-3569 Stack-based buffer overflow in OpenOffice.org (OOo) allows
> remote ...
> CVE-2009-3570 Unspecified vulnerability in OpenOffice.org (OOo) has
> unspecified ...
> CVE-2009-3571 Unspecified vulnerability in OpenOffice.org (OOo) has
> unknown impact ...
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551068. Nothing to fix
> there (yet).
For tracking pourposes those are not fixed, whether more details have been
disclosed or not. Shall those issues be determined as invalid they will be
changed accordingly in the tracker.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---