Markus Koschany · Markus Koschany · 1415dbb4
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -89141,6 +89141,7 @@ CVE-2017-6852 (Heap-based buffer overflow in the jpc_dec_decodepkt function in .
 	[wheezy] - jasper <no-dsa> (Minor issue)
 	NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/114
 	NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/10
+	NOTE: The POC only triggers an assertion failure but an overflow cannot be observed.
 CVE-2017-6850 (The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 ...)
 	- jasper <removed> (unimportant)
 	NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/112
@@ -104109,7 +104110,7 @@ CVE-2016-9558 ((1) libdwarf/dwarf_leb.c and (2) dwarfdump/print_frames.c in libd
 	NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/4f19e1050cd8e9ddf2cb6caa061ff2fec4c9b5f9/#diff-5
 CVE-2016-9557 (Integer overflow in jas_image.c in JasPer before 1.900.25 allows ...)
 	- jasper <removed>
-	[jessie] - jasper <no-dsa> (Minor issue)
+	[jessie] - jasper <no-dsa> (There is no application crash unless jasper is built with ASAN)
 	[wheezy] - jasper <no-dsa> (the fix is too invasive)
 	NOTE: https://blogs.gentoo.org/ago/2016/11/19/jasper-signed-integer-overflow-in-jas_image-c
 	NOTE: Fixed by: https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a