Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4491 tiff security update 27 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tiff Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-17546 CVE-2019-6128 CVE-2018-18661 CVE-2018-12900 CVE-2017-17095 Reference: ESB-2019.4464 ESB-2019.4137 ESB-2018.0864 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/11/msg00027.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tiff Version : 4.0.3-12.3+deb8u10 CVE ID : CVE-2017-17095 CVE-2018-12900 CVE-2018-18661 CVE-2019-6128 CVE-2019-17546 Several issues have been found in tiff, a Tag Image File Format library. CVE-2019-17546 The RGBA interface contains an integer overflow that might lead to heap buffer overflow write. CVE-2019-6128 A memory leak exists due to missing cleanup code. CVE-2018-18661 In case of exhausted memory there is a null pointer dereference in tiff2bw. CVE-2018-12900 Fix for heap-based buffer overflow, that could be used to crash an application or even to execute arbitrary code (with the permission of the user running this application). CVE-2017-17095 A crafted tiff file could lead to a heap buffer overflow in pal2rgb. For Debian 8 "Jessie", these problems have been fixed in version 4.0.3-12.3+deb8u10. We recommend that you upgrade your tiff packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl3dmCZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEd9LRAAr0Rd9+KqBflydKwo6NKuLGRNHI4G+mFPOMBIN+MSro1LwkZ9TeSyB9C7 62ANXPSZb5Se/ICFsv7GtmvAzsDJep0JF7IEiIoT48FFVCMGmfoNF9Z+Kac8ZnBI bSN47mJuLQ1Qd/gdxnzftZdIVREpGfAn0nV2koU5hs5dHKe+7Pz5Ol3zikUmmXbj oB4xRCcpdgDF0YMQd9VJUtZGiBvnzY5ODlOxHPA1c75rdAG76YL3GKdN5BDmkktc eVjTdU8lRYa7lZFRDDpT7Re6KM6eP11u2N4CDLd9Dzf8daHzELtIV5Dvi3LnYFq2 LK9jH7nMwjr1OQVaGBEfyO1ytSN5yellUYtKAsVJwql+LvXSpxaOBU1VVuoBxeBd j9sIazEgkQJSXKESuzSRjQsZxxTGobAQh07LKJ6oJgs2C8V6JlXn4ais2V28AOPV shUE4zeZumShqWDXpXDzipzFyHBYjE6YKARJAK65s7PlvzvjVzIAgbIjuQV7HauJ MHisL77Yb5lZnkkHu8pFH93FJ5v339N3sirPHMT/khkZnQNiqI8JIKazs0QOi7f7 OiFyjjWuUjVQh87eih3pSdcCRNFTHCiMuYdVmlTnxkg+1nf0Kih+V1PQm+lYNNa8 BpoMiqTGkr7o7evywxp7fAPkRqUVMqtNQMuXd4MnJdgwlsNA14E= =l51z - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXd4CoWaOgq3Tt24GAQhuQBAAv9MPuLFwoAlkmR4dTHZo/8ywLlYTPxzX ZFAec1dTSf7bplsY71PW/e7MLGhzwUECFVfc++Jy/TJFrygAii/9UtcBiFZXk/CS fq3rwE15f+ya3C9M8WfYCKr30JEKlrVc8+a8a8v5m8n+ATLri9ZqNXZoDGJAYlKm NS2zszAkTHdZnv4AU68QKKFbLc3wlRwkNjTgxA5H0b7sSbYOTlBkw6txsWa5oHVG VMovwCfvQxDkjbsxJEgKiBqd1fLX14lybaZ4Ej8Wq3K9LUXgNRpfGLE0t4TZlGeI mnvd2FIyHarVk9q1c1RQGQKrSF9QNV7HKAaAaksnTb+wJBDISSfP+JtQQ+Qj2EDD 6TOTnKheI4j+iS/745WPvUInjwpp08Z7VSVlqGNJvu07cIT+n5ng0ksiiCuL5On3 iE4oHdintk88XD35RDIFEDDnNeZ5dqbrk8sYrWwc98OESxQuMN67XdxZAxKhZrU0 2LoVTO+U/s7MLELOgi4uIajvSvn2qIuGerL/NpCdCGVLVBUK/ZzCrinZCb+siBEd r5E9Zaqkk523gGxIDG5PP6bFD9gUbc4AbYUu0ixK0h92cLKVMhBqrgVgC8iGi0cd jtgSifQyWDR5enMkGmQvt9TsX8WgrHvV8CnkrG1jHiR1x5moH6e5/a3eQjE/pjc4 FBtHBoucinA= =F2pe -----END PGP SIGNATURE-----