Debian 10225 Published by

The following updates has been released for Debian 7 LTS:

[DLA 448-1] subversion security update
[DLA 449-1] botan1.10 security update
[DLA 450-1] gdk-pixbuf security update



[DLA 448-1] subversion security update

Package : subversion
Version : 1.6.17dfsg-4+deb7u11
CVE ID : CVE-2016-2167 CVE-2016-2168

CVE-2016-2167

svnserve, the svn:// protocol server, can optionally use the Cyrus
SASL library for authentication, integrity protection, and encryption.
Due to a programming oversight, authentication against Cyrus SASL
would permit the remote user to specify a realm string which is
a prefix of the expected realm string.


CVE-2016-2168

Subversion's httpd servers are vulnerable to a remotely triggerable crash
in the mod_authz_svn module. The crash can occur during an authorization
check for a COPY or MOVE request with a specially crafted header value.

This allows remote attackers to cause a denial of service.

[DLA 449-1] botan1.10 security update

Package : botan1.10
Version : 1.10.5-1+deb7u1
CVE ID : CVE-2014-9742 CVE-2015-5726 CVE-2015-5727
CVE-2015-7827 CVE-2016-2194 CVE-2016-2195
CVE-2016-2849

Several security vulnerabilities were found in botan1.10, a C++
library which provides support for many common cryptographic
operations, including encryption, authentication, X.509v3 certificates
and CRLs.

CVE-2014-9742
A bug in Miller-Rabin primality testing was responsible for
insufficient randomness.

CVE-2015-5726
The BER decoder would crash due to reading from offset 0 of an
empty vector if it encountered a BIT STRING which did not contain
any data at all. This can be used to easily crash applications
reading untrusted ASN.1 data, but does not seem exploitable for
code execution.

CVE-2015-5727
The BER decoder would allocate a fairly arbitrary amount of memory
in a length field, even if there was no chance the read request
would succeed. This might cause the process to run out of memory or
invoke the OOM killer.

CVE-2015-7827
Use constant time PKCS #1 unpadding to avoid possible side channel
attack against RSA decryption

CVE-2016-2194
Infinite loop in modular square root algorithm.
The ressol function implementing the Tonelli-Shanks algorithm for
finding square roots could be sent into a nearly infinite loop due
to a misplaced conditional check. This could occur if a composite
modulus is provided, as this algorithm is only defined for primes.
This function is exposed to attacker controlled input via the
OS2ECP function during ECC point decompression.

CVE-2016-2195
Fix Heap overflow on invalid ECC point.

CVE-2016-2849
Use constant time modular inverse algorithm to avoid possible
side channel attack against ECDSA

For Debian 7 "Wheezy", these problems have been fixed in version
1.10.5-1+deb7u1.

We recommend that you upgrade your botan1.10 packages.

[DLA 450-1] gdk-pixbuf security update

Package : gdk-pixbuf
Version : 2.26.1-1+deb7u4
CVE ID : CVE-2015-7552 CVE-2015-7674

A heap-based buffer overflow has been discovered in gdk-pixbuf, a
library for image loading and saving facilities, fast scaling and
compositing of pixbufs, that allows remote attackers to cause a denial
of service or possibly execute arbitrary code via a crafted BMP file.

This update also fixes an incomplete patch for CVE-2015-7674.

CVE-2015-7552
Heap-based buffer overflow in the gdk_pixbuf_flip function in
gdk-pixbuf-scale.c in gdk-pixbuf allows remote attackers to cause a
denial of service or possibly execute arbitrary code via a crafted
BMP file.


CVE-2015-7674
Integer overflow in the pixops_scale_nearest function in
pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers
to cause a denial of service (application crash) and possibly
execute arbitrary code via a crafted GIF image file, which triggers
a heap-based buffer overflow.

For Debian 7 "Wheezy", these problems have been fixed in version
2.26.1-1+deb7u4.

We recommend that you upgrade your gdk-pixbuf packages.