Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

DLA 1168-1: graphicsmagick security update
DSA 4006-2: mupdf security update



DLA 1168-1: graphicsmagick security update

Package : graphicsmagick
Version : 1.3.16-1.1+deb7u14
CVE ID : CVE-2017-16669


A remote denial of service vulnerability has been discovered in
graphicsmagick, a collection of image processing tools and associated
libraries.

A specially crafted file can be used to produce a heap-based buffer
overflow and application crash by exploiting a defect in the
AcquireCacheNexus function in magick/pixel_cache.c.

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.16-1.1+deb7u14.

We recommend that you upgrade your graphicsmagick packages.

Note: The previous graphicsmagick package inadvertently introduced a
dependency on liblcms2-2. This version of the package returns to using
liblcms1. If your system does not otherwise require liblcms2-2, you
may want to consider removing it following the graphicsmagick upgrade.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4006-2: mupdf security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4006-2 security@debian.org
https://www.debian.org/security/
November 10, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mupdf
CVE ID : CVE-2017-15587
Debian Bug : 879055

It was discovered that the original patch applied for CVE-2017-15587
in DSA-4006-1 was incomplete. Updated packages are now available to
address this problem. For reference, the relevant part of the original
advisory text follows.

CVE-2017-15587

Terry Chia and Jeremy Heng discovered an integer overflow that can
cause arbitrary code execution via a crafted .pdf file.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.5-1+deb8u3.

For the stable distribution (stretch), this problem have been fixed in
version 1.9a+ds1-4+deb9u2.

We recommend that you upgrade your mupdf packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/