Debian 10228 Published by

The following updates has been released for Debian 6 LTS:

[DLA 159-1] cups security update
[DLA 160-1] sudo security update
[DLA 161-1] libgtk2-perl security update
[DLA 162-1] e2fsprogs security update



[DLA 159-1] cups security update

Package : cups
Version : 1.4.4-7+squeeze7
CVE ID : CVE-2014-9679
Debian Bug : #778387

Peter De Wachter discovered that CUPS, the Common UNIX Printing
System, did not correctly parse compressed raster files. By submitting
a specially crafted raster file, a remote attacker could use this
vulnerability to trigger a buffer overflow.

For the oldstable distribution (squeeze), this problem has been fixed in
version 1.4.4-7+squeeze7.

For the stable distribution (wheezy), this problem has been fixed in
version 1.5.3-5+deb7u5.

We recommend that you upgrade your cups packages.

[DLA 160-1] sudo security update

Package : sudo
Version : 1.7.4p4-2.squeeze.5
CVE ID : CVE-2014-0106 CVE-2014-9680
Debian Bug : #772707

This update fixes the CVEs described below.

CVE-2014-0106

Todd C. Miller reported that if the env_reset option is disabled
in the sudoers file, the env_delete option is not correctly
applied to environment variables specified on the command line. A
malicious user with sudo permissions may be able to run arbitrary
commands with elevated privileges by manipulating the environment
of a command the user is legitimately allowed to run.

CVE-2014-9680

Jakub Wilk reported that sudo preserves the TZ variable from a
user's environment without any sanitization. A user with sudo
access may take advantage of this to exploit bugs in the C library
functions which parse the TZ environment variable or to open files
that the user would not otherwise be able to open. The latter
could potentially cause changes in system behavior when reading
certain device special files or cause the program run via sudo to
block.

For the oldstable distribution (squeeze), these problems have been fixed
in version 1.7.4p4-2.squeeze.5.

For the stable distribution (wheezy), they have been fixed in version
1.8.5p2-1+nmu2.

We recommend that you upgrade your sudo packages.

[DLA 161-1] libgtk2-perl security update

Package : libgtk2-perl
Version : 2:1.222-1+deb6u1

It was discovered that libgtk2-perl, a Perl interface to the 2.x series
of the Gimp Toolkit library, incorrectly frees memory which GTK+ still
holds onto and might access later, leading to denial of service
(application crash) or, potentially, to arbitrary code execution.

[DLA 162-1] e2fsprogs security update

Package : e2fsprogs
Version : 1.41.12-4+deb6u2
CVE ID : CVE-2015-1572
Debian Bug : 778948

ose Duart of the Google Security Team discovered a buffer overflow in
in e2fsprogs, a set of utilities for the ext2, ext3, and ext4 file
systems. This issue can possibly lead to arbitrary code execution if
a malicious device is plugged in, the system is configured to
automatically mount it, and the mounting process chooses to run fsck
on the device's malicious filesystem.

CVE-2015-1572

Incomplete fix for CVE-2015-0247.