Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1668 abcm2ps security update 19 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: abcm2ps Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2021-32436 CVE-2021-32435 CVE-2021-32434 CVE-2019-1010069 CVE-2018-10771 CVE-2018-10753 Original Bulletin: https://www.debian.org/lts/security/2022/dla-2983 Comment: CVSS (Max): 9.8 CVE-2018-10771 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 From: Anton Gladky <gladk@debian.org> To: debian-lts-announce@lists.debian.org Subject: [SECURITY] [DLA 2983-1] abcm2ps security update - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2983-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky April 16, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : abcm2ps Version : 7.8.9-1+deb9u1 CVE ID : CVE-2018-10753 CVE-2018-10771 CVE-2019-1010069 CVE-2021-32434 CVE-2021-32435 CVE-2021-32436: Multiple vulnerabilities have been discovered in abcm2ps: program which translates ABC music description files to PostScript. CVE-2018-10753 Stack-based buffer overflow in the delayed_output function in music.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-10771 Stack-based buffer overflow in the get_key function in parse.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2019-1010069 Incorrect access control allows attackers to cause a denial of service via a crafted file. CVE-2021-32434 Array overflow when wrong duration in voice overlay. CVE-2021-32435 Stack-based buffer overflow in the function get_key in parse.c allows remote attackers to cause a senial of service (DoS) via unspecified vectors. CVE-2021-32436 Out-of-bounds read in the function write_title() in subs.c allows remote attackers to cause a denial of service via unspecified vectors. For Debian 9 stretch, these problems have been fixed in version 7.8.9-1+deb9u1. We recommend that you upgrade your abcm2ps packages. For the detailed security status of abcm2ps please refer to its security tracker page at: https://security-tracker.debian.org/tracker/abcm2ps Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJbpzsACgkQ0+Fzg8+n /wb3FhAAkxX+SysYeZnpdq+bMS8MOSftBP1iRKBGrJ7c8rv1vT9MK2ZsxVDScl8q tgt+UvraL5x46o9axFmDcWvQYe4Q82vZuRj2HqYqvqaJkjZYF/gPjqXiptLLPeZ+ IH3XAUhOofFt5iNqICINiy4lIHcyPyCMQItiXe0rR3k21MHnk6RIgAgi4dOWh/aD 6A53kzWIhXiTqkKX4m18Al+dpobhC870sTuvg8gW6QuwrETYBtfa7G1ZGsagR01p KPXO5pVBYhUhw7QRpxprKbUriCNv44mX4ZZRumyh863jtcS7ZJJlcXa+pehYOSPs aZw5iweKt5fu6S7KGvZa+1bHJXVEFyxuAu/kMzTsdTTDZk1FGA9zThPr17gzQ+b1 sEfrjKh7Ux3gsfFzhNKczAdvl8kIgkRV5FHbH9GD9FMihxFcgrE0j0yVC7BGK7rX 16Z/TYxgliC1aPRVx4WCYQfWwiiJvgDAkxjkHR5D8S8+/qZ+iAK26EEuR2Zk9k7O XmlCZNuQP0clVLRmg2PtA/ao5/dSgFlHtwK4S7OjBAIiMZgojnQr8WcBvGynl/St 8bEg9v9yDArRwC6uymqpq3II8jzL35CBx5OsPAKetC3bAQ87ImNyk+K3JwMaHFs4 Ls1bzO7vVQc92sALs8KpJqc9KxA4eihczQl/j5YEivJN91NsgvE= =JgCR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYl4qhONLKJtyKPYoAQgsTQ//XR7cmXQxAYnyO4qVw+Y3C0h4LsMi4/SC Y/jPCuXaqIlq9AMIiRM41s5sY+Oka4ei8D4URBF0F6rJXv86S7T9EqgXEcb1CX8F 0sMgxJvgLM13tTylTeCOB7D3U+cz+NfT3c7bpFIsFNGv+C5n+oa5V3d4H0PexniU au6bAHcUZUm1FmLzAF7N67Y7c1QfEypGnMHcfuNvD4TOWGg2K15p4KqwCVPacayk puRbuXgjYWvq9fqT9GckQ01pg+YyWnutTWH71eDUx33Z89o2yS4hWmxjMnCbPPZQ fnj9P2pPHuFzGesGYfVEQmcf50ing6oZpeSufnGkiYPajbOpopuUDfEykFW35C3H Pval9hFlswm+1hIVistXO53Y1Lyin61V6UORQT4kEwBpkx2I6Kg1E/c2wtB/TD7f md1khoBkOWSKCaphKbaYQtSrNjuc0iDoAg+HB1XJFb7RvhKnU6t5XIfdtLtMp7BT adasr2MN3o8wkaZiQzI9iH2td7IvBQyJqqzacdywbFo0Y7BMtS7Uz6FS9lOtH3ER Z7qefA37inlpJnxjmCoWSjBQUrx9H+Hxauwq9MSgUbuTmjvGyojX1QKW5PnO4DaQ 1sOW4yv9pTDTYWJTkN+FHOen6dAnKEtB+SFgtdCpYLqoqofl95sTzhwrjFBUZr/d vftda5ucwTE= =2oSU -----END PGP SIGNATURE-----