-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6586
                         pngcheck security update
                             16 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           pngcheck
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-35511  

Original Bulletin: 
   https://www.debian.org/lts/security/2022/dla-3238

Comment: CVSS (Max):  7.8 CVE-2020-35511 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3238-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
December 13, 2022                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : pngcheck
Version        : 3.0.3-1~deb10u2
CVE ID         : CVE-2020-35511
Debian Bugs    : 1021278

Multiple security issues were discovered in pngcheck, a tool to verify the
integrity of PNG, JNG and MNG files, which could potentially result
in the execution of arbitrary code.

CVE-2020-35511

    A global buffer overflow was discovered in pngcheck function in
    pngcheck-2.4.0 (5 patches applied) via a crafted png file.


For Debian 10 buster, these problems have been fixed in version
3.0.3-1~deb10u2.

We recommend that you upgrade your pngcheck packages.

For the detailed security status of pngcheck please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/pngcheck

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmOYleAACgkQkWT6HRe9
XTYzIhAAjndFpq+ErqTL7ZZGBIl/wnCoKuaRKkTKCoop6Rv76ug/UEtJAM6BDY17
33vLeAI6WOEy6LF0+IsNU8MXZCALl3Fb8SsDS8kOgSpxi2Jg4gCz52d4okc+ea+o
C2Kha6GqwKYLUgsxMT9JttS8OvATM1HFNJxmzJ+Br9AR/VoNTz9WHxzQ+2TOJJkT
OBYf9lC55plA4AW5G8BgMOnQ8CuxJNiwFmFecB+ds5Ying79x81PwMJho/7Zjtaj
4ZPgRPsMlG26v1lnh3jZl7b62ImK2to32EkinoC0aeCd4QzyMlDfW5hc5mpS95JV
JgkKjk6niZ0cw4FyHXpVs6OAjDtkOGXFEht4YI2xd8MwV/n6xH/QqfS/xNfjlBiQ
7I2zP1GgEsX5KgS6UCK8VgmpI1wIeDDIv/CkzIDfryGXaxnlSojj1r8K61wjxUN0
Jio8/Vxk7WwbsPE3Ix+5Bankrt9sC2gcUBT2JvFmMoo6CXHwQedV8dbkRY3yg+VH
aGXYgMF7lh9X8g1wwpqHApZJWJbosJ6z2J8PCvjs5BgDmVdH9fiZrIUh00P3ynfh
m88EVUz4ftjvmJl+xSJmcDPFlZC61UhiWbpZu9aYoEaCm5Dnzj8dApVRYjcTCuro
KjBgfYzPbmEpvYpIVPzBzJ8ZRGSmw5oVjMX5XN3GxrGnka7r9NQ=
=hDeG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY5vFxckNZI30y1K9AQgV8A//aQyeWayHc0NamuwWPHIEPY4s6GQTsV6r
UOdnd5161EkfpO2ldSJjmy6NTk0S4gnzvzzvg6N5tIUM6pfS9lM/F5TcRGXGPT4w
cR9udeNYIFvAF+THdj4SruYlBHNANpFKJjXtPdzszAY/8g906HcB/T+qPumNT8ry
aQKj6MNkusP8VUfdPkQ3e490CNYX5/tfOyvRG26vn3zHhQQALrqBNacMcGxSAJ6Y
Nii4u32VZKLkd0mqgWtx6jBDSpf16YozUlN2bP6OkreYLstAo+Z0xyqs5Zu8bsL8
/bvasa4kCj3/q/NFWLFmyxim0ZVpnmhuwP6PcmXfqh5zT1qRJ4C6Gy5110mdwJuv
5O+OvndBkjkrBUnf3gl3JNfo/khWGADhKd3WgqZdoVELCfpHvgmxVfhBkm00gvVD
Z/g/kJtxziz/m52eZ6jA+gwOXC0UBqE3Iz9HRPWF0YYQ4ZTzfyBrDzecl1aotaig
P+pKlwBqw4o1b5DQUAuYOHvZ7tEh0yOUN72h24gwlWi1LyN0h6Zhpq0sBpPkoJCK
pbNOzpbKQTgN5e6iatAhmN5bUHovyk8eHKbWsL80lRGK7Ic9teJCITBNi5WIQFV9
7hMg1W7FI7x2DT4njhY9HWz+r99CGcm6Kv4zbGe/8IWNW94oVj7Iavo7dNpRjuYX
2hnfq+4CL8g=
=s2IY
-----END PGP SIGNATURE-----