ESB-2018.2655 - [Debian] lcms2: Execute arbitrary code/commands - Remote with user interaction 2018-09-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2655
                           lcms2 security update
                             7 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lcms2
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16435  

Reference:         ESB-2018.2614

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/09/msg00005.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : lcms2
Version        : 2.6-3+deb8u2
CVE ID         : CVE-2018-16435
Debian Bug     : #907983

It was discovered that there was an integer overflow vulnerability
in the "Little CMS 2" colour management library. A specially-crafted
input file could lead to a heap-based buffer overflow.

For Debian 8 "Jessie", this issue has been fixed in lcms2 version
2.6-3+deb8u2.

We recommend that you upgrade your lcms2 packages.


Regards,

- - -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAluQ8U8ACgkQHpU+J9Qx
HliqFQ/+M6I99aqzaHZICb+LmfmMWz39zrdLz8hge9hbctIHYjkp39myOnA3Py7z
hZfoxQMrod4yRgvOhKOcYblByBHCltE5HNcW0RAcbEClZUrNQMtPcaH2Ek7QpxPy
8MA4nUjk6cBKQGMFUYtDvqueyp4a1CldHxsSprLFSVDq01cuXRxYKm+Bj+FUQ70o
GUZVj4pnDycofJdwheUkMluXFOnTBp7xlabJovn3wOia+hCjoX3pq8JJJCEqsKiy
m7IO7KNzlBr6VUz2nTfq8sxWFxL6Ta7h2e/NiIbFJiXRInueoBXFix1lY47tNpII
2yDOCPqR3WQ8xyT/M4eXCzYsDzL7ptjzT8Y7onDiswg8xtvh0jNI4q0BYtaEqa2o
/9vgOLIQVP9aEkDbch9aoW8eeFyDX/ONDCWXKIv2JGeMH003UZf6aGjMT234NHK7
3+ybyISq81OJycT87aYoGULsYGK2g2mdVOUCrZgiEkJr6wlrK5Ztkinkn2Inuur4
2naAfoj7Uk8jPuZUkq+g/sFpBqtVEheSPLXXoow5oLUMxtYuzGL59QKTzhgS7ny6
441PeHrw1Cp8Erh+tQvUcyxfsyJqIRslHFekQgRh2jWxviJLjexwWvaoNzn1H/dm
L/6Aa0ibtwVDNtyB0CrBqIeAvL23525HI28ELkHgNY67kGdt3xg=
=qO9g
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5HCxGaOgq3Tt24GAQiGwA/+JK0VcXbEE3U8Jsm/A+Xd/o6QUJn4nBBJ
dP6jMM66ssz1799tzgp1S0k0HKiFWfQguz8/K8OJP+P6zDwbt94GJIGWzBKWogVR
k5i4fs24Pj63ow5OlrApi+L4/XsD7yzde+8WYLJs0M41EySwMMOsts+IGvr/Zp6u
4fPMaU9xCUYEq8yDifInnMI1/7doMUCSCNQUkZlBvjHaoLH3AR6nbRw7K0E7/bYl
CtI6RCUAenUpD9aWbRWYuIu9Jgq1QvnMNqy/c9KV1lk+DJbbDplNMwf44cgBDwGV
p6UMVMq54M7Xo7E7KxE+v3grYD5saeDU1jb/lglWWXOeLWPUq2Kv4eA88DJTe6yh
GTZOxs5jNSKcCSlv0UbhSA1vxF/wHnP6I+9KCIpIEMITsoX+zcglbZt2C2x/lE5J
cK3Ftq1mV+lQ6IZ3sNdzqmv1qandTK3C/cmEYRU3IbYyDGXxeegrwTUa7ZkmZ/a6
uV1nK6Jb0WF/iv5hyKt2fQsVyMav2qBXY394b4FprmiThBuoFMDBPL1Z0nDmfqpc
88+5+Nnyx+jA4u6llfsPOfgHu4wL3kjgm5CAWl2R9IwBOHBsejICI90xREaCtzMi
FoQBZaFZ/q3hDX8ecZT3/4JMiPmgMTTa7QHVVL/YoIlTQk+N5+vOrzgpH/dqi3tf
Bb2i0i+/g/o=
=ZH79
-----END PGP SIGNATURE-----

« Back to bulletins