Debian 10230 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1907-1: libav security update
DLA 1908-1: pump security update



DLA 1907-1: libav security update

Package : libav
Version : 6:11.12-1~deb8u8
CVE ID : CVE-2017-9987 CVE-2018-5766 CVE-2018-11102 CVE-2019-14372
CVE-2019-14442


Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library.

CVE-2017-9987

In Libav, there was a heap-based buffer overflow in the function
hpel_motion in mpegvideo_motion.c. A crafted input could have lead to
a remote denial of service attack.

CVE-2018-5766

In Libav there was an invalid memcpy in the av_packet_ref function of
libavcodec/avpacket.c. Remote attackers could have leveraged this
vulnerability to cause a denial of service (segmentation fault) via a
crafted avi file.

CVE-2018-11102

A read access violation in the mov_probe function in
libavformat/mov.c allowed remote attackers to cause a denial of
service (application crash), as demonstrated by avconv.

CVE-2019-14372

In Libav, there was an infinite loop in the function
wv_read_block_header() in the file wvdec.c.

CVE-2019-14442

In mpc8_read_header in libavformat/mpc8.c, an input file could have
resulted in an avio_seek infinite loop and hang, with 100% CPU
consumption. Attackers could have leveraged this vulnerability to
cause a denial of service via a crafted file.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u8.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1908-1: pump security update

Package : pump
Version : 0.8.24-7+deb8u1
Debian Bug : #933674

It was discovered that there was an arbitrary code execution
vulnerability in the pump BOOTP and DHCP client.

When copying the body of the server response, the ethernet packet
length could be forged leading to being able to overwrite up to
"ETH_FRAME_LEN - sizeof(*ipHdr) - sizeof(*udpHdr) - sizeof(*bresp)"
bytes of stack memory.

Thanks to for the report and patch.

For Debian 8 "Jessie", this issue has been fixed in pump version
0.8.24-7+deb8u1.

We recommend that you upgrade your pump packages.