Debian 10225 Published by

The following updates has been released for Debian:

[DLA 845-1] qemu security update
[DSA 3794-2] munin regression update
[DSA 3799-1] imagemagick security update



[DLA 845-1] qemu security update

Package : qemu
Version : 1.1.2+dfsg-6+deb7u20
CVE ID : CVE-2017-2615 CVE-2017-2620 CVE-2017-5898 CVE-2017-5973
Debian Bug :

Several vulnerabilities were discovered in qemu, a fast processor
emulator. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2017-2615

The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an
out-of-bounds access issue. It could occur while copying VGA data
via bitblt copy in backward mode.

A privileged user inside guest could use this flaw to crash the
Qemu process resulting in DoS OR potentially execute arbitrary
code on the host with privileges of Qemu process on the host.

CVE-2017-2620

The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an
out-of-bounds access issue. It could occur while copying VGA data
in cirrus_bitblt_cputovideo.

A privileged user inside guest could use this flaw to crash the
Qemu process resulting in DoS OR potentially execute arbitrary
code on the host with privileges of Qemu process on the host.

CVE-2017-5898

The CCID Card device emulator support is vulnerable to an integer
overflow flaw. It could occur while passing message via
command/responses packets to and from the host.

A privileged user inside guest could use this flaw to crash the
Qemu process on host resulting in DoS.

CVE-2017-5973

The USB xHCI controller emulator support in qemu is vulnerable
to an infinite loop issue. It could occur while processing control
transfer descriptors' sequence in xhci_kick_epctx.

A privileged user inside guest could use this flaw to crash the
Qemu process resulting in DoS.

This update also updates the fix CVE-2016-9921 since it was too strict
and broke certain guests.

For Debian 7 "Wheezy", these problems have been fixed in version
1.1.2+dfsg-6+deb7u20.

We recommend that you upgrade your qemu packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DSA 3794-2] munin regression update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3794-2 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 02, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : munin
Debian Bug : 856455

The update for munin issues as DSA-3794-1 caused a regression in the
zooming functionality in munin-cgi-graph. Updated packages are now
available to correct this issue. For reference, the original advisory
text follows.

Stevie Trujillo discovered a local file write vulnerability in munin, a
network-wide graphing framework, when CGI graphs are enabled. GET
parameters are not properly handled, allowing to inject options into
munin-cgi-graph and overwriting any file accessible by the user running
the cgi-process.

For the stable distribution (jessie), this problem has been fixed in
version 2.0.25-1+deb8u2.

For the unstable distribution (sid), this problem has been fixed in
version 2.0.32-1.

We recommend that you upgrade your munin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3799-1] imagemagick security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3799-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 01, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2016-8707 CVE-2016-10062 CVE-2016-10144
CVE-2016-10145 CVE-2016-10146 CVE-2017-5506
CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511
Debian Bug : 851485 851483 851380 848139 851383 851382 851381
851374 851376 849439

This update fixes several vulnerabilities in imagemagick: Various
memory handling problems and cases of missing or incomplete input
sanitising may result in denial of service or the execution of arbitrary
code if malformed TIFF, WPG, IPL, MPC or PSB files are processed.

For the stable distribution (jessie), these problems have been fixed in
version 8:6.8.9.9-5+deb8u7.

For the testing distribution (stretch), these problems have been fixed
in version 8:6.9.7.4+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in
version 8:6.9.7.4+dfsg-1.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/