Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6586 pngcheck security update 16 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pngcheck Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2020-35511 Original Bulletin: https://www.debian.org/lts/security/2022/dla-3238 Comment: CVSS (Max): 7.8 CVE-2020-35511 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3238-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 13, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : pngcheck Version : 3.0.3-1~deb10u2 CVE ID : CVE-2020-35511 Debian Bugs : 1021278 Multiple security issues were discovered in pngcheck, a tool to verify the integrity of PNG, JNG and MNG files, which could potentially result in the execution of arbitrary code. CVE-2020-35511 A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0 (5 patches applied) via a crafted png file. For Debian 10 buster, these problems have been fixed in version 3.0.3-1~deb10u2. We recommend that you upgrade your pngcheck packages. For the detailed security status of pngcheck please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pngcheck Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmOYleAACgkQkWT6HRe9 XTYzIhAAjndFpq+ErqTL7ZZGBIl/wnCoKuaRKkTKCoop6Rv76ug/UEtJAM6BDY17 33vLeAI6WOEy6LF0+IsNU8MXZCALl3Fb8SsDS8kOgSpxi2Jg4gCz52d4okc+ea+o C2Kha6GqwKYLUgsxMT9JttS8OvATM1HFNJxmzJ+Br9AR/VoNTz9WHxzQ+2TOJJkT OBYf9lC55plA4AW5G8BgMOnQ8CuxJNiwFmFecB+ds5Ying79x81PwMJho/7Zjtaj 4ZPgRPsMlG26v1lnh3jZl7b62ImK2to32EkinoC0aeCd4QzyMlDfW5hc5mpS95JV JgkKjk6niZ0cw4FyHXpVs6OAjDtkOGXFEht4YI2xd8MwV/n6xH/QqfS/xNfjlBiQ 7I2zP1GgEsX5KgS6UCK8VgmpI1wIeDDIv/CkzIDfryGXaxnlSojj1r8K61wjxUN0 Jio8/Vxk7WwbsPE3Ix+5Bankrt9sC2gcUBT2JvFmMoo6CXHwQedV8dbkRY3yg+VH aGXYgMF7lh9X8g1wwpqHApZJWJbosJ6z2J8PCvjs5BgDmVdH9fiZrIUh00P3ynfh m88EVUz4ftjvmJl+xSJmcDPFlZC61UhiWbpZu9aYoEaCm5Dnzj8dApVRYjcTCuro KjBgfYzPbmEpvYpIVPzBzJ8ZRGSmw5oVjMX5XN3GxrGnka7r9NQ= =hDeG - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY5vFxckNZI30y1K9AQgV8A//aQyeWayHc0NamuwWPHIEPY4s6GQTsV6r UOdnd5161EkfpO2ldSJjmy6NTk0S4gnzvzzvg6N5tIUM6pfS9lM/F5TcRGXGPT4w cR9udeNYIFvAF+THdj4SruYlBHNANpFKJjXtPdzszAY/8g906HcB/T+qPumNT8ry aQKj6MNkusP8VUfdPkQ3e490CNYX5/tfOyvRG26vn3zHhQQALrqBNacMcGxSAJ6Y Nii4u32VZKLkd0mqgWtx6jBDSpf16YozUlN2bP6OkreYLstAo+Z0xyqs5Zu8bsL8 /bvasa4kCj3/q/NFWLFmyxim0ZVpnmhuwP6PcmXfqh5zT1qRJ4C6Gy5110mdwJuv 5O+OvndBkjkrBUnf3gl3JNfo/khWGADhKd3WgqZdoVELCfpHvgmxVfhBkm00gvVD Z/g/kJtxziz/m52eZ6jA+gwOXC0UBqE3Iz9HRPWF0YYQ4ZTzfyBrDzecl1aotaig P+pKlwBqw4o1b5DQUAuYOHvZ7tEh0yOUN72h24gwlWi1LyN0h6Zhpq0sBpPkoJCK pbNOzpbKQTgN5e6iatAhmN5bUHovyk8eHKbWsL80lRGK7Ic9teJCITBNi5WIQFV9 7hMg1W7FI7x2DT4njhY9HWz+r99CGcm6Kv4zbGe/8IWNW94oVj7Iavo7dNpRjuYX 2hnfq+4CL8g= =s2IY -----END PGP SIGNATURE-----