Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4266 pdfresurrect security update 2 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pdfresurrect Publisher: Debian Operating System: Debian GNU/Linux Linux variants Impact/Access: Denial of Service -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-20740 CVE-2019-14934 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2475 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running pdfresurrect check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2475-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Roberto C. S=E1nchez December 01, 2020 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : pdfresurrect Version : 0.12-6+deb9u1 CVE ID : CVE-2019-14934 CVE-2020-20740 Vulnerabilities have been discovered in pdfresurrect, a tool for analyzing and manipulating revisions to PDF documents. CVE-2019-14934 pdf_load_pages_kids in pdf.c doesn't validate a certain size value, which leads to a malloc failure and out-of-bounds write CVE-2020-20740 lack of header validation checks causes heap-buffer-overflow in pdf_get_version() For Debian 9 stretch, these problems have been fixed in version 0.12-6+deb9u1. We recommend that you upgrade your pdfresurrect packages. For the detailed security status of pdfresurrect please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdfresurrect Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl/GP9sACgkQLNd4Xt2n sg+CsRAAgVT8Aa5fMA2YPn9YTruwrllA462jAr/5nsBVQ9WfpccdtXzBEbQUgrr1 761EylzdxxrIuA1z0D4WrbTAzOMVKHxE3x1z3X2hY/eZDCPeToylfm9SX3MlR+Lx fnhoSohro98KxDz0HBsy8D0E6axi5kKhsRMVudaeaFEKGbCdk8jsSM1+tE/hggM0 ixXSCeV0g23+cKIw6wP9R22tuqJzoaTq9t/glehcNVAa0CPpZrgI44LAp3PlK265 L+WFxTWMS2+/4sphRHNWyg+/sLKIz3K4tRNQXZ+/8eoYAqQLc7MMMxe+iYkmtLL6 xG64bzjXwBcitlj7qQQQxzBD/uabrCTjgbTZs4Aojq6hobnBRgHOXeKIRRtmfli8 U7fJQw6W/UFRgSqpy3I7tHPuezuVn4ZPVpzWinYubtgQr6PqAPDOb8ErZO0dvSNy ezul2MUspqWwgmq2yw6GDuRFHuHNFdwtVIap5/GshetMgIYsNkQSd5spdcCKNGAG fm3KL0TcBED/ZNaPCopZGsdqRcEgoKRV1X6oEDTKYEZQDk3XclNZVUlMwoDzq3XG LLz3ZhGsZvbciUXMDq6hF8WrRifipykfK6A8eQcsAYcSWZ1WtEZ99sX4F6WDtw9D oE3LXkbrRocu9ZCHNgk+OWu+5xWdOnsObvzH7+yt3WSLev7h6lk= =oC30 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX8cy2ONLKJtyKPYoAQhjPA/9HETk9CIxvM7BmedP3szfpdfOO79CQOuM dH647R+P04CN1wFLjTQdO5l4MfrAiaCU23bFpPaY4MZnhNB8dytsND+s08yCvRv0 DtCRzn3bdZIfc7bMVY4hfb4iUBeIMIggXCKGZ2pN7nS0mAZ8S9dxhfHBw/LyU+bs QJgsaSvn/w4P1kr2HtxrgPsoTQt8MCR7ejXON6ucISNAI7FbRCD2BUj02vAP/z5q UYpO0fng4OC151etuFZT8qh3MSbjW4Z+3PiemKgW8z5KwZn7rylfdF5TDc+8BN5h Sh3UhRlVM+YIhydOpNpiSDt7k5RnWbLo9eLwRhQZBlhwiSD5Th9+QbBVeVnjNjrY tu08ivtpvHfP+vRipoRrjJCXX0cObqb6kXSRRqu2ZU198QYN15V+2MmDwpH1aoPv UrWWNL/aPTUczBgTE84Zeq2cQbnZaTKG5Ay2yGQmevsORz/oOwYp3MLPbn6wrteK TMdd+OiJddDbIJJuTnBmmg5VlhMA081bOyeMt1TZptg/MFbskZ8TVbshryBQhzTx GIxe5DiZWT4G9Qj++rTDVamivslDzOfII1QbPQ1Dh2yIhI9/yL/1SjDfbOlFGy90 k0ScmI8CsMpcMB3ZEHNuq/Jf5HDXq4reh45DqLaFmWMcI0gQ0NAuyIq9oAB6JNCb 6o8DUzR4Hok= =2FCN -----END PGP SIGNATURE-----