Operating System:

[Debian]

Published:

20 December 2019

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2019.4750 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4750
                        gdk-pixbuf security update
                             20 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gdk-pixbuf
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6314 CVE-2017-6313 CVE-2017-6312
                   CVE-2017-2870 CVE-2016-6352 

Reference:         ESB-2018.2486
                   ESB-2018.0166
                   ESB-2018.0165
                   ESB-2017.2362

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/12/msg00025.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : gdk-pixbuf
Version        : 2.31.1-2+deb8u8
CVE ID         : CVE-2016-6352 CVE-2017-2870 CVE-2017-6312 CVE-2017-6313
                  CVE-2017-6314

Several issues in gdk-pixbuf, a library to handle pixbuf, have been found.

CVE-2016-6352
      fix for denial of service (out-of-bounds write and crash) via
      crafted dimensions in an ICO file

CVE-2017-2870
      Fix for an exploitable integer overflow vulnerability in the
      tiff_image_parse functionality. When software is compiled with
      clang, A specially crafted tiff file can cause a heap-overflow
      resulting in remote code execution. Debian package is compiled
      with gcc and is not affected, but probably some downstream is.

CVE-2017-6312
      Fix for an integer overflow in io-ico.c that allows attackers
      to cause a denial of service (segmentation fault and application
      crash) via a crafted image

CVE-2017-6313
      Fix for an integer underflow in the load_resources function in
      io-icns.c that allows attackers to cause a denial of service
      (out-of-bounds read and program crash) via a crafted image entry
      size in an ICO file

CVE-2017-6314
      Fix for an infinite loop in the make_available_at_least function
      in io-tiff.c that allows attackers to cause a denial of service
      via a large TIFF file.


For Debian 8 "Jessie", these problems have been fixed in version
2.31.1-2+deb8u8.

We recommend that you upgrade your gdk-pixbuf packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl37w3pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEdNHA/9E1SoWRPCnx82sOaFyDZFmMhTGkq04Y3h9ETtxI3uC+FKSJxTWdMe4UTA
a3V8PLSWrZX4ixwcFFbnBr8zHVV6Z3LiC44s2QuIIg3267gokyanImA8NSL3Q/qy
Cmx1LTJbQXS5FA3ZJI+zHOzJoaZGNyDlROJ2s0tVXNDghbuu7bQTUGt4HxGn5p47
UvL5uDinM0TXQr1i+OWBJv9gfrSasM/Vr5Pl4T84aRsYsbJ0H6xY07VuHNNkV1VF
p6q/VhoLmIJcGJhKZguo/VYP6QrDnlR9c/ujQxeUEBRODtlYSOYLxbhWEUh030tO
iphLNBB31bTr9T527qxTpN/Iv5/blqcWPayxbcKC8acWkJBF2wvYVmjDXOwZK8mL
czndI+RLGCvBgD674exVsEOGTnrNvHOBv+RO9wl0yR9fGDhJFsMld/OZhanCRxOq
F9cEaXhXfVt+eJYSIyPS2S61AKbHCEPdLWfFwcl5OtYrmGag4T24pKM2sZs4qhkQ
XPklvlTaiRQQMlWYXy+L7XcjTub5ePocbt3l8G9VyQ7uKEcxdcvxiBSDsU8YEaLn
ddm0UwwFaz0QRb3aiC+TW1CoBG5tmrpe/TtompqHwnU5DrVL5PucfQnmGEQJsdGB
AsPHTxKhCpcpD8OqUd10TGFE1yf0AXMuJGBEtXh1Rp5LwFfKs7Q=
=Dlrx
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfxjHGaOgq3Tt24GAQgYGRAAu5V0DtxPWeScpFCIhoizV+029h1j4B2P
HN8U1bSegcImYJkeYZTxzpapuocmhOSlWEYue1d5bMftyWMKwu5u1sqQxvbBdcKW
Hxjy2TyGiqc9eol5y8Bdb/CVfdXQZ8J/efNQHUPda0wSB58gddffnPmP8kQLiKTo
7bo3+UcQAqxMLI+xn3YQZSObrhtG4Bed5gHHeoT9jLExsmf57VK7y9pxmbNOEK0Q
LRGqJ+Oh7LlIylgDAjlu+8mtMk56RwcSmi/3NDT44TflI2xybLshPH5Y3/Ua/Nyf
v2xAMDBer5aeICz2RJisDxvs3EGZlMzARgF+JNzMd8HHpmZQ6jNIxvve5/2necWT
WLp8r82wUFv7vXie6hdOadEamaC3P1Rs3ZdSJAAi712zisfCGll0F3nJeOwYDe7O
VAyTLFHzHaRTIgBhCvKN39vqYfg/h7YYL2CEJNUKyw3V1tDDNQ2goRAn+QsiuuCP
1HO+uOpgMSgC7Yjbza2Yt3Xx/WFt6VbvvuNUuSZk54ihXaNFB0i3+pnq2f9ok4nS
dkRAMo9BqRRiN0PtnJzgNYC/qa9ezHjG35EVcpzYymTuJGyfyxpWYyE9yl+Fc9MZ
dgVOVig2GgVmiKzJZVJmM+zjkHcvhMxCkbNXbHB1m6KEpmZpQDnqcmnvW/+K45fU
zYxWt0I+xi8=
=Tc2J
-----END PGP SIGNATURE-----