Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0221 transfig security update 22 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: transfig Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-19555 CVE-2019-14275 CVE-2018-16140 Reference: ESB-2019.1810 ESB-2018.2658 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/01/msg00018.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : transfig Version : 1:3.2.5.e-4+deb8u2 CVE ID : CVE-2018-16140 CVE-2019-14275 CVE-2019-19555 Several issues have been found in transfig, a XFig figure files converter. CVE-2018-16140 Buffer underwrite vulnerability in get_line() allows an attacker to write prior to the beginning of the buffer via a crafted .fig file. CVE-2019-14275 Stack-based buffer overflow in the calc_arrow function in bound.c. CVE-2019-19555 Stack-based buffer overflow because of an incorrect sscanf. For Debian 8 "Jessie", these problems have been fixed in version 1:3.2.5.e-4+deb8u2. We recommend that you upgrade your transfig packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl4ncAwACgkQYS7xYT4F D1T1XxAAlzbHFbpMyaQHlv5dBT2XXYTsAril9dX9X7GZJZc3bOLEq6ivZ1bGISTV Pvzq/zqeB87OE6QSx567vGsUQ+wGeRKXgTWQBifbkByiVkZkewjOFrGFkfnrJJxQ FQ1suLilZmRLJKc7V+3lisGKK8LIErppJMA3pSc2wovLfu3ZK84TbF29PBOoyGXF L1Q6raE2SXJmmOaRAYJEaH0wDBHKD3NKtikxEQA9atyQgkn7lmXO75YAh0xPPbcI EBQ7dufVRdTzS8PP7bYrdHrZdJ7QUAdgnW14+Z0fgT1XiAfPcN4vj5/AQ2ciDVrh 3wHfJY8kPLStX4OQEkOC0P9ydqJYj6cUhgX6jcewL/Ak7XMGzKxeaHYwWjpROJdY bT5OkpO7dkMaYUBpk5//eqWQjNr674ydnvpBSKNJvw2qSbn03Hcsf4yKtf2uGYwl 0rGtJUDAYZDbYy3t8PwzzZ62xsjhrg4/xsybPJe411mXIqj300TlWxUnjCQlK6be 1aIYf59b3gMvOpib++0Q5973/Rrcpf7D4xYJV5kxC7ejOzTXCYBS4XFigUS4dNhT nnZxwYS9HZ5drh+La3FBT5LKOPr0/9Y4f9H3+8Ru4Ug1PUr6MWpiWj9SyqVYSjrR EJ0PKyYfo5J7xsIEggWFp50Q+H/KYzx8IggxLQbiphLZlnI+jW8= =6f9i - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXie0imaOgq3Tt24GAQhhXQ//cCx44QGPXdFJXJjLxUC9eWMAJ2CwXqxF Ys3e21LwscDUMkqSj1QzQQY3lJ1vBD/7mB/WQK6cvyan1LKABk+tQtlLdMq7DmCs o8ByamHTXw3WlXhHuL2GtBQuRFK9tTni2h1GyTC2ZTLgjimtAU/mOGh/ZQ3cxoHo tOQFifw2d+xAJzDAieh18k4+8RrvLTp/mSnNA2VHW5hPez7Ih4rSMjoxPIbcaMwz 3xMRfTzST5Yy05pww/nOSbZ5obYbj8Zb4VIpOEJe7Yo2mAt4jEFOwMo5qz7Qf7TD NNVxZkXrENBQEPnOrGbI8ScYUNo4TjvypzZikMbADE5W8TXq6AG5vu+yo4iwBtU3 KhwHnJaXSsRanacgDPnXmdTk9Pn171urfogwSzrFEMDArKxdGWJhhIq/s4ZOk7yQ cGRHpH0m5EhvzeMSplmveWGkbpWheq+e9TEmp+weWB5Sgde9HnIZSWTAtQNPuZF6 96UPz2j1zb08NVsjaRkpDmvwg63PjAeUTq89kskvmMzzihss52fiPb2YuxdhYbEA BIv8OOKFnH7zjxclFQnt5zi79nArqmdEgpIGHlsWmZWKrsjAF5GAnBZ26qbK4pew caTOHAsz3K27lKmkJhpQtn1o5HYkH5CUFGMFN17K8sMALgOQZGzOmbKiDLQ7VZNX CKTS6k6K4co= =dli8 -----END PGP SIGNATURE-----