From 0f59fcd511373d9f7b1cdf2cdf0e654cd56ee926 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 18 Feb 2019 17:29:48 +0000
Subject: Record fix for CVE-2018-16885 and retire it

---
 retired/CVE-2018-16885 | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 retired/CVE-2018-16885

(limited to 'retired/CVE-2018-16885')

diff --git a/retired/CVE-2018-16885 b/retired/CVE-2018-16885
new file mode 100644
index 00000000..c7ca9787
--- /dev/null
+++ b/retired/CVE-2018-16885
@@ -0,0 +1,17 @@
+Description: out-of-bound read in memcpy_fromiovecend()
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1661503
+Notes:
+ carnil> Not much details provided in RedHat Bugzilla #1661503 but said
+ carnil> that the issue is indirectly fixed upstream by UFO removal, and
+ carnil> the buggy memcpy_fromiovecend() (and related functions) are
+ carnil> fixed by upstream commit
+ carnil> 21226abb4e9f14d88238964d89b279e461ddc30c (4.0-rc1)
+Bugs:
+upstream: released (3.17-rc1) [06ebb06d49486676272a3c030bfeef4bd969a8e6]
+4.19-upstream-stable: N/A "Fixed before branch point"
+4.9-upstream-stable: N/A "Fixed before branch point"
+3.16-upstream-stable: released (3.16.1) [874c613a476d6a283ce418290c4472a07dadadf6]
+sid: released (3.16.2-1)
+4.9-stretch-security: N/A "Fixed before branch point"
+3.16-jessie-security: N/A "Fixed before branch point"
-- 
cgit v1.2.3