Debian 10225 Published by

The following updates has been released for Debian GNU/Linux:

DLA 1259-1: tiff security update
DLA 1260-1: tiff3 security update
DLA 1261-1: clamav security update
DSA 4099-1: ffmpeg security update
DSA 4100-1: tiff security update



DLA 1259-1: tiff security update

Package : tiff
Version : 4.0.2-6+deb7u18
CVE ID : CVE-2017-18013
Debian Bug : 885985


A vulnerability has been discovered in the libtiff image processing
library which may result in an application crash and denial of
service.

CVE-2017-18013

NULL pointer dereference via crafted TIFF image

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u18.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1260-1: tiff3 security update

Package : tiff3
Version : 3.9.6-11+deb7u9
CVE ID : CVE-2017-18013
Debian Bug : 885985


A vulnerability has been discovered in the libtiff image processing
library which may result in an application crash and denial of
service.

CVE-2017-18013

NULL pointer dereference via crafted TIFF image

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u9.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DLA 1261-1: clamav security update

Package : clamav
Version : 0.99.2+dfsg-0+deb7u4
CVE ID : CVE-2017-12374 CVE-2017-12375 CVE-2017-12376
CVE-2017-12377 CVE-2017-12378 CVE-2017-12379
CVE-2017-12380
Debian Bug : 888484 824196


Multiple vulnerabilities have been discovered in clamav, the ClamAV
AntiVirus toolkit for Unix. Effects range from denial of service to
potential arbitrary code execution. Additionally, this version fixes
a longstanding issue that has recently resurfaced whereby a malformed
virus signature database can cause an application crash and denial of
service.

CVE-2017-12374

ClamAV has a use-after-free condition arising from a lack of input
validation. A remote attacker could exploit this vulnerability with
a crafted email message to cause a denial of service.

CVE-2017-12375

ClamAV has a buffer overflow vulnerability arising from a lack of
input validation. An unauthenticated remote attacker could send a
crafted email message to the affected device, triggering a buffer
overflow and potentially a denial of service when the malicious
message is scanned.

CVE-2017-12376

ClamAV has a buffer overflow vulnerability arising from improper
input validation when handling Portable Document Format (PDF) files.
An unauthenticated remote attacker could send a crafted PDF file to
the affected device, triggering a buffer overflow and potentially a
denial of service or arbitrary code execution when the malicious
file is scanned.

CVE-2017-12377

ClamAV has a heap overflow vulnerability arising from improper input
validation when handling mew packets. An attacker could exploit this
by sending a crafted message to the affected device, triggering a
denial of service or possible arbitrary code execution when the
malicious file is scanned.

CVE-2017-12378

ClamAV has a buffer overread vulnerability arising from improper
input validation when handling tape archive (TAR) files. An
unauthenticated remote attacker could send a crafted TAR file to
the affected device, triggering a buffer overread and potentially a
denial of service when the malicious file is scanned.

CVE-2017-12379

ClamAV has a buffer overflow vulnerability arising from improper
input validation in the message parsing function. An unauthenticated
remote attacker could send a crafted email message to the affected
device, triggering a buffer overflow and potentially a denial of
service or arbitrary code execution when the malicious message is
scanned.

CVE-2017-12380

ClamAV has a NULL dereference vulnerability arising from improper
input validation in the message parsing function. An unauthenticated
remote attacker could send a crafted email message to the affected
device, triggering a NULL pointer dereference, which may result in a
denial of service.

Debian Bug #824196

A malformed virus signature database could cause an application
crash and denial of service.


For Debian 7 "Wheezy", these problems have been fixed in version
0.99.2+dfsg-0+deb7u4.

We recommend that you upgrade your clamav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



DSA 4099-1: ffmpeg security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4099-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : CVE-2017-17081

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (stretch), this problem has been fixed in
version 7:3.2.10-1~deb9u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4100-1: tiff security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4100-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2017-9935 CVE-2017-11335 CVE-2017-12944 CVE-2017-13726
CVE-2017-13727 CVE-2017-18013

Multiple vulnerabilities have been discovered in the libtiff library and
the included tools, which may result in denial of service or the
execution of arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed
in version 4.0.3-12.3+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 4.0.8-2+deb9u2.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/