The following updates has been released for Debian GNU/Linux 7 LTS:
DLA 1305-1: ming security update
DLA 1306-1: vips security update
DLA 1305-1: ming security update
DLA 1306-1: vips security update
DLA 1305-1: ming security update
Package : ming
Version : 0.4.4-1.1+deb7u7
CVE ID : CVE-2018-5251 CVE-2018-5294 CVE-2018-6315 CVE-2018-6359
Multiple vulnerabilities have been discovered in Ming:
CVE-2018-5251
Integer signedness error vulnerability (left shift of a negative value) in
the readSBits function (util/read.c). Remote attackers can leverage this
vulnerability to cause a denial of service via a crafted swf file.
CVE-2018-5294
Integer overflow vulnerability (caused by an out-of-range left shift) in
the readUInt32 function (util/read.c). Remote attackers could leverage this
vulnerability to cause a denial-of-service via a crafted swf file.
CVE-2018-6315
Integer overflow and resultant out-of-bounds read in the
outputSWF_TEXT_RECORD function (util/outputscript.c). Remote attackers
could leverage this vulnerability to cause a denial of service or
unspecified other impact via a crafted SWF file.
CVE-2018-6359
Use-after-free vulnerability in the decompileIF function
(util/decompile.c). Remote attackers could leverage this vulnerability to
cause a denial of service or unspecified other impact via a crafted SWF
file.
For Debian 7 "Wheezy", these problems have been fixed in version
0.4.4-1.1+deb7u7.
We recommend that you upgrade your ming packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1306-1: vips security update
Package : vips
Version : 7.28.5-1+deb7u2
CVE ID : CVE-2018-7998
Debian Bug : #892589
It was discovered that there was NULL function pointer dereference
vulnerability in vips, an image processing system for very large images.
Remote attackers could cause a denial of service via a specially-crafted
image file which occurred due to a race condition involving a failed
image load and other worker threads.
For Debian 7 "Wheezy", this issue has been fixed in vips version
7.28.5-1+deb7u2.
We recommend that you upgrade your vips packages.