Debian 10233 Published by

The following updates has been released for Debian GNU/Linux 7 LTS:

DLA 1305-1: ming security update
DLA 1306-1: vips security update



DLA 1305-1: ming security update




Package : ming
Version : 0.4.4-1.1+deb7u7
CVE ID : CVE-2018-5251 CVE-2018-5294 CVE-2018-6315 CVE-2018-6359

Multiple vulnerabilities have been discovered in Ming:

CVE-2018-5251

Integer signedness error vulnerability (left shift of a negative value) in
the readSBits function (util/read.c). Remote attackers can leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-5294

Integer overflow vulnerability (caused by an out-of-range left shift) in
the readUInt32 function (util/read.c). Remote attackers could leverage this
vulnerability to cause a denial-of-service via a crafted swf file.

CVE-2018-6315

Integer overflow and resultant out-of-bounds read in the
outputSWF_TEXT_RECORD function (util/outputscript.c). Remote attackers
could leverage this vulnerability to cause a denial of service or
unspecified other impact via a crafted SWF file.

CVE-2018-6359

Use-after-free vulnerability in the decompileIF function
(util/decompile.c). Remote attackers could leverage this vulnerability to
cause a denial of service or unspecified other impact via a crafted SWF
file.

For Debian 7 "Wheezy", these problems have been fixed in version
0.4.4-1.1+deb7u7.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1306-1: vips security update




Package : vips
Version : 7.28.5-1+deb7u2
CVE ID : CVE-2018-7998
Debian Bug : #892589

It was discovered that there was NULL function pointer dereference
vulnerability in vips, an image processing system for very large images.

Remote attackers could cause a denial of service via a specially-crafted
image file which occurred due to a race condition involving a failed
image load and other worker threads.

For Debian 7 "Wheezy", this issue has been fixed in vips version
7.28.5-1+deb7u2.

We recommend that you upgrade your vips packages.