Debian 10229 Published by

The following updates has been released for Debian:

[DLA 942-1] jbig2dec security update
[DSA 3853-1] bitlbee security update



[DLA 942-1] jbig2dec security update

Package : jbig2dec
Version : 0.13-4~deb7u2
CVE ID : CVE-2017-7885 CVE-2017-7975 CVE-2017-7976

CVE-2017-7885
Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to
denial of service (application crash) or disclosure of sensitive
information from process memory, because of an integer overflow
in the jbig2_decode_symbol_dict function in jbig2_symbol_dict.c
in libjbig2dec.a during operation on a crafted .jb2 file.

CVE-2017-7975
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds
writes because of an integer overflow in the jbig2_build_huffman_table
function in jbig2_huffman.c during operations on a crafted JBIG2 file,
leading to a denial of service (application crash) or possibly
execution of arbitrary code.

CVE-2017-7976
Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because
of an integer overflow in the jbig2_image_compose function in
jbig2_image.c during operations on a crafted .jb2 file, leading
to a denial of service (application crash) or disclosure of
sensitive information from process memory.

For Debian 7 "Wheezy", these problems have been fixed in version
0.13-4~deb7u2.

We recommend that you upgrade your jbig2dec packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DSA 3853-1] bitlbee security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3853-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
May 15, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bitlbee
CVE ID : CVE-2016-10188 CVE-2016-10189

It was discovered that bitlbee, an IRC to other chat networks gateway,
contained issues that allowed a remote attacker to cause a denial of
service (via application crash), or potentially execute arbitrary
commands.

For the stable distribution (jessie), these problems have been fixed in
version 3.2.2-2+deb8u1.

For the upcoming stable (stretch) and unstable (sid) distributions,
these problems have been fixed in version 3.5-1.

We recommend that you upgrade your bitlbee packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/