Operating System:

[Debian]

Published:

19 April 2022

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2022.1668 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.1668
                          abcm2ps security update
                               19 April 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           abcm2ps
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-32436 CVE-2021-32435 CVE-2021-32434
                   CVE-2019-1010069 CVE-2018-10771 CVE-2018-10753

Original Bulletin: 
   https://www.debian.org/lts/security/2022/dla-2983

Comment: CVSS (Max):  9.8 CVE-2018-10771 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

From: Anton Gladky <gladk@debian.org>
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2983-1] abcm2ps security update

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2983-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Anton Gladky
April 16, 2022                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : abcm2ps
Version        : 7.8.9-1+deb9u1
CVE ID         : CVE-2018-10753 CVE-2018-10771 CVE-2019-1010069 CVE-2021-32434
                 CVE-2021-32435 CVE-2021-32436:

Multiple vulnerabilities have been discovered in abcm2ps: program which
translates ABC music description files to PostScript.

CVE-2018-10753

    Stack-based buffer overflow in the delayed_output function in music.c
    allows remote attackers to cause a denial of service (application crash) or
    possibly have unspecified other impact.

CVE-2018-10771

    Stack-based buffer overflow in the get_key function in parse.c allows remote
    attackers to cause a denial of service (application crash) or possibly have
    unspecified other impact.

CVE-2019-1010069

    Incorrect access control allows attackers to cause a denial of service via a
    crafted file.

CVE-2021-32434

    Array overflow when wrong duration in voice overlay.

CVE-2021-32435

    Stack-based buffer overflow in the function get_key in parse.c allows remote
    attackers to cause a senial of service (DoS) via unspecified vectors.

CVE-2021-32436

    Out-of-bounds read in the function write_title() in subs.c allows remote
    attackers to cause a denial of service via unspecified vectors.

For Debian 9 stretch, these problems have been fixed in version
7.8.9-1+deb9u1.

We recommend that you upgrade your abcm2ps packages.

For the detailed security status of abcm2ps please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/abcm2ps

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJbpzsACgkQ0+Fzg8+n
/wb3FhAAkxX+SysYeZnpdq+bMS8MOSftBP1iRKBGrJ7c8rv1vT9MK2ZsxVDScl8q
tgt+UvraL5x46o9axFmDcWvQYe4Q82vZuRj2HqYqvqaJkjZYF/gPjqXiptLLPeZ+
IH3XAUhOofFt5iNqICINiy4lIHcyPyCMQItiXe0rR3k21MHnk6RIgAgi4dOWh/aD
6A53kzWIhXiTqkKX4m18Al+dpobhC870sTuvg8gW6QuwrETYBtfa7G1ZGsagR01p
KPXO5pVBYhUhw7QRpxprKbUriCNv44mX4ZZRumyh863jtcS7ZJJlcXa+pehYOSPs
aZw5iweKt5fu6S7KGvZa+1bHJXVEFyxuAu/kMzTsdTTDZk1FGA9zThPr17gzQ+b1
sEfrjKh7Ux3gsfFzhNKczAdvl8kIgkRV5FHbH9GD9FMihxFcgrE0j0yVC7BGK7rX
16Z/TYxgliC1aPRVx4WCYQfWwiiJvgDAkxjkHR5D8S8+/qZ+iAK26EEuR2Zk9k7O
XmlCZNuQP0clVLRmg2PtA/ao5/dSgFlHtwK4S7OjBAIiMZgojnQr8WcBvGynl/St
8bEg9v9yDArRwC6uymqpq3II8jzL35CBx5OsPAKetC3bAQ87ImNyk+K3JwMaHFs4
Ls1bzO7vVQc92sALs8KpJqc9KxA4eihczQl/j5YEivJN91NsgvE=
=JgCR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYl4qhONLKJtyKPYoAQgsTQ//XR7cmXQxAYnyO4qVw+Y3C0h4LsMi4/SC
Y/jPCuXaqIlq9AMIiRM41s5sY+Oka4ei8D4URBF0F6rJXv86S7T9EqgXEcb1CX8F
0sMgxJvgLM13tTylTeCOB7D3U+cz+NfT3c7bpFIsFNGv+C5n+oa5V3d4H0PexniU
au6bAHcUZUm1FmLzAF7N67Y7c1QfEypGnMHcfuNvD4TOWGg2K15p4KqwCVPacayk
puRbuXgjYWvq9fqT9GckQ01pg+YyWnutTWH71eDUx33Z89o2yS4hWmxjMnCbPPZQ
fnj9P2pPHuFzGesGYfVEQmcf50ing6oZpeSufnGkiYPajbOpopuUDfEykFW35C3H
Pval9hFlswm+1hIVistXO53Y1Lyin61V6UORQT4kEwBpkx2I6Kg1E/c2wtB/TD7f
md1khoBkOWSKCaphKbaYQtSrNjuc0iDoAg+HB1XJFb7RvhKnU6t5XIfdtLtMp7BT
adasr2MN3o8wkaZiQzI9iH2td7IvBQyJqqzacdywbFo0Y7BMtS7Uz6FS9lOtH3ER
Z7qefA37inlpJnxjmCoWSjBQUrx9H+Hxauwq9MSgUbuTmjvGyojX1QKW5PnO4DaQ
1sOW4yv9pTDTYWJTkN+FHOen6dAnKEtB+SFgtdCpYLqoqofl95sTzhwrjFBUZr/d
vftda5ucwTE=
=2oSU
-----END PGP SIGNATURE-----