Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4750 gdk-pixbuf security update 20 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: gdk-pixbuf Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-6314 CVE-2017-6313 CVE-2017-6312 CVE-2017-2870 CVE-2016-6352 Reference: ESB-2018.2486 ESB-2018.0166 ESB-2018.0165 ESB-2017.2362 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/12/msg00025.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : gdk-pixbuf Version : 2.31.1-2+deb8u8 CVE ID : CVE-2016-6352 CVE-2017-2870 CVE-2017-6312 CVE-2017-6313 CVE-2017-6314 Several issues in gdk-pixbuf, a library to handle pixbuf, have been found. CVE-2016-6352 fix for denial of service (out-of-bounds write and crash) via crafted dimensions in an ICO file CVE-2017-2870 Fix for an exploitable integer overflow vulnerability in the tiff_image_parse functionality. When software is compiled with clang, A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. Debian package is compiled with gcc and is not affected, but probably some downstream is. CVE-2017-6312 Fix for an integer overflow in io-ico.c that allows attackers to cause a denial of service (segmentation fault and application crash) via a crafted image CVE-2017-6313 Fix for an integer underflow in the load_resources function in io-icns.c that allows attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file CVE-2017-6314 Fix for an infinite loop in the make_available_at_least function in io-tiff.c that allows attackers to cause a denial of service via a large TIFF file. For Debian 8 "Jessie", these problems have been fixed in version 2.31.1-2+deb8u8. We recommend that you upgrade your gdk-pixbuf packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl37w3pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdNHA/9E1SoWRPCnx82sOaFyDZFmMhTGkq04Y3h9ETtxI3uC+FKSJxTWdMe4UTA a3V8PLSWrZX4ixwcFFbnBr8zHVV6Z3LiC44s2QuIIg3267gokyanImA8NSL3Q/qy Cmx1LTJbQXS5FA3ZJI+zHOzJoaZGNyDlROJ2s0tVXNDghbuu7bQTUGt4HxGn5p47 UvL5uDinM0TXQr1i+OWBJv9gfrSasM/Vr5Pl4T84aRsYsbJ0H6xY07VuHNNkV1VF p6q/VhoLmIJcGJhKZguo/VYP6QrDnlR9c/ujQxeUEBRODtlYSOYLxbhWEUh030tO iphLNBB31bTr9T527qxTpN/Iv5/blqcWPayxbcKC8acWkJBF2wvYVmjDXOwZK8mL czndI+RLGCvBgD674exVsEOGTnrNvHOBv+RO9wl0yR9fGDhJFsMld/OZhanCRxOq F9cEaXhXfVt+eJYSIyPS2S61AKbHCEPdLWfFwcl5OtYrmGag4T24pKM2sZs4qhkQ XPklvlTaiRQQMlWYXy+L7XcjTub5ePocbt3l8G9VyQ7uKEcxdcvxiBSDsU8YEaLn ddm0UwwFaz0QRb3aiC+TW1CoBG5tmrpe/TtompqHwnU5DrVL5PucfQnmGEQJsdGB AsPHTxKhCpcpD8OqUd10TGFE1yf0AXMuJGBEtXh1Rp5LwFfKs7Q= =Dlrx - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfxjHGaOgq3Tt24GAQgYGRAAu5V0DtxPWeScpFCIhoizV+029h1j4B2P HN8U1bSegcImYJkeYZTxzpapuocmhOSlWEYue1d5bMftyWMKwu5u1sqQxvbBdcKW Hxjy2TyGiqc9eol5y8Bdb/CVfdXQZ8J/efNQHUPda0wSB58gddffnPmP8kQLiKTo 7bo3+UcQAqxMLI+xn3YQZSObrhtG4Bed5gHHeoT9jLExsmf57VK7y9pxmbNOEK0Q LRGqJ+Oh7LlIylgDAjlu+8mtMk56RwcSmi/3NDT44TflI2xybLshPH5Y3/Ua/Nyf v2xAMDBer5aeICz2RJisDxvs3EGZlMzARgF+JNzMd8HHpmZQ6jNIxvve5/2necWT WLp8r82wUFv7vXie6hdOadEamaC3P1Rs3ZdSJAAi712zisfCGll0F3nJeOwYDe7O VAyTLFHzHaRTIgBhCvKN39vqYfg/h7YYL2CEJNUKyw3V1tDDNQ2goRAn+QsiuuCP 1HO+uOpgMSgC7Yjbza2Yt3Xx/WFt6VbvvuNUuSZk54ihXaNFB0i3+pnq2f9ok4nS dkRAMo9BqRRiN0PtnJzgNYC/qa9ezHjG35EVcpzYymTuJGyfyxpWYyE9yl+Fc9MZ dgVOVig2GgVmiKzJZVJmM+zjkHcvhMxCkbNXbHB1m6KEpmZpQDnqcmnvW/+K45fU zYxWt0I+xi8= =Tc2J -----END PGP SIGNATURE-----