ESB-2018.0439 - [Linux][Debian] librsvg: Access confidential data - Remote with user interaction 2018-02-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0439
              A vulnerability has been identified in librsvg
                             14 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           librsvg
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Linux variants
Impact/Access:     Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000041  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/02/msg00013.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running librsvg check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : librsvg
Version        : 2.36.1-2+deb7u3
CVE ID         : CVE-2018-1000041

It was discovered that there was an input validation vulnerability in
the librsvg renderer library that could result in data being leaked to
remote attackers via a specially-crafted file.

For Debian 7 "Wheezy", this issue has been fixed in librsvg version
2.36.1-2+deb7u3.

We recommend that you upgrade your librsvg packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlqBYs4ACgkQHpU+J9Qx
HlgIrg/9HdTExQGhKuVrLNWMxfkxjjiJgVno+4Ku8QzwTADwvPC61mV0TPzZOvZR
Ph6G+CdvANmJ9/SpXaZm0TcexsBOTZaP88li4jgkJKruEWdUlMTkkIX4KR9F6g2r
BHZ6nSBxN25nsDRVZ9wbEC/yfNbYXnXMoMjgVV09EGEM0rOTr0TtlwRCbNL+ZKJS
+VH7QbXW0S4dSqfNDM+Kuo1pAy3LWghjxZLpWQwWxm2P12WG5ZKe8CR1sGdIMwd0
A0cVAks3kqofOw0fwCKZVPY62GBzmrXKUHpDJ4g83/D2v6DHQQdHXZkswoumMtOl
vW2+DmN3kMNtKvurwXp5iLlt94/kkgQVXRcQskNi568aM1E8auM+z0y8d14/9Hzw
bs1BFvdWTuLBEQ3Yju/nZKb/7ERk3wGp7uHLh9R2wqBb0VXjUhxyKdfRBoolIXqS
yUVUgyax6VxDOS6cCD5+xzcwQImi3WGfflHBYi4/wC5NFkHzjMIsu1Sgr66QKmBa
q5uw0tmBWPqzrfgGtR0PT2638Q6BbfDw5VrorID7bQ7gSD95xSzqiAUvyHYOPuJy
5Zp1bh7UMWQr+RxVrvaC2d6NT6PRo9M5e8PT2DuD7X+zhYpYWI44bFr6t7oezyUy
aX/JbUrc+Nqr5yYGQZBhDXl1UXkwt+/DgIZdxsVosAHzgx7j6as=
=KrND
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWoOTQ4x+lLeg9Ub1AQhWXQ/9HTM59QHFs5mdZ9IENfOg2U8aaeBvU7qo
RYJ1meXnub8lhuDfiKN8pL4z3SkhwXneyPy2cf/wVJ5Z0B3YaP2u1r4iPZtOoy+A
eensOkKliSrAL//fV9mUOZk7FlRlPuyiSq1punilKKYejovjM706cEo07ehbxBpL
MaicjZEtRyyHporWBa4nQlgba0y6tXgLLdyPFgxwXbVGoj1nT/wLFtqOSzVRYB1b
3uCqBTitKtAA+XlEuHqBmnawmmvuh4og2VLtmFsJ9sLD5IRJVkGmSU2cXVYowOo2
sO7Bl3nfI36A2Jpljdp1eORJKaGBAzILgNNPoj9GD1wMvY3F8B2dPQSJJyWCnr68
rIdXLGEW0ZbBfHhUA6Ng1uGYqAkY2PHm7pein7NiIrUvbVAop5xXSYzXw5jbqXOs
eljIWqxrKwr2XMChg7L4HpuXyle7DDGu+HSKYNeKht9rLl7IrP4SBd2H4eyUDUhZ
vDOma8GiInOm5We61tYEn+plqbWN8FEue0i0l+KULUuBrBEC9Nv+DvH4K+FehcxE
CHpbN55LNyB0w16BiFc9jMtN0h9uxDzRVqDGpb5qWrJF0EJ9N6vLL2crlugmgqid
OMojg2S1Cxuf7WmJe05PevBFmyIfbEgBmLYy77BrQU/G+fAuBab8Cpc2yGXvXFz+
4a7lO4bhu+4=
=xsuQ
-----END PGP SIGNATURE-----

« Back to bulletins