Debian 9843 Published by

The following Debian updates has been released:

[DLA 956-1] libsndfile security update
[DLA 957-1] bind9 security update
[DLA 958-1] libonig security update
[DLA 959-1] libical security update
[DLA 960-1] imagemagick security update
[DSA 3864-1] fop security update



[DLA 956-1] libsndfile security update

Package : libsndfile
Version : 1.0.25-9.1+deb7u2
CVE ID : CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365


CVE-2017-8361
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a
crafted audio file.

CVE-2017-8362
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file.

CVE-2017-8363
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted audio file.

CVE-2017-8365
The i2les_array function in pcm.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (buffer over-read
and application crash) via a crafted audio file.


For Debian 7 "Wheezy", these problems have been fixed in version
1.0.25-9.1+deb7u2.

We recommend that you upgrade your libsndfile packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 957-1] bind9 security update

Package : bind9
Version : 1:9.8.4.dfsg.P1-6+nmu2+deb7u16
CVE ID : CVE-2017-3136 CVE-2017-3137 CVE-2017-3138

CVE-2017-3136

Oleg Gorokhov of Yandex discovered that BIND does not properly
handle certain queries when using DNS64 with the "break-dnssec yes;"
option, allowing a remote attacker to cause a denial-of-service.

CVE-2017-3137

It was discovered that BIND makes incorrect assumptions about the
ordering of records in the answer section of a response containing
CNAME or DNAME resource records, leading to situations where BIND
exits with an assertion failure. An attacker can take advantage of
this condition to cause a denial-of-service.

CVE-2017-3138

Mike Lalumiere of Dyn, Inc. discovered that BIND can exit with a
REQUIRE assertion failure if it receives a null command string on
its control channel. Note that the fix applied in Debian is only
applied as a hardening measure. Details about the issue can be found
at https://kb.isc.org/article/AA-01471 .


For Debian 7 "Wheezy", these problems have been fixed in version
1:9.8.4.dfsg.P1-6+nmu2+deb7u16.

We recommend that you upgrade your bind9 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 958-1] libonig security update

Package : libonig
Version : 5.9.1-1+deb7u1
CVE ID : CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228
CVE-2017-9229
Debian Bug : 863312 863314 863315 863316 863318

CVE-2017-9224

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in match_at() during regular expression
searching. A logical error involving order of validation and access in
match_at() could result in an out-of-bounds read from a stack buffer.

CVE-2017-9226

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write or read occurs in next_state_val() during regular
expression compilation. Octal numbers larger than 0xff are not handled
correctly in fetch_token() and fetch_token_in_cc(). A malformed regular
expression containing an octal number in the form of '\700' would
produce an invalid code point value larger than 0xff in
next_state_val(), resulting in an out-of-bounds write memory
corruption.

CVE-2017-9227

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in mbc_enc_len() during regular expression
searching. Invalid handling of reg->dmin in forward_search_range()
could result in an invalid pointer dereference, as an out-of-bounds
read from a stack buffer.

CVE-2017-9228

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption.

CVE-2017-9229

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs
in left_adjust_char_head() during regular expression compilation.
Invalid handling of reg->dmax in forward_search_range() could result in
an invalid pointer dereference, normally as an immediate
denial-of-service condition.



For Debian 7 "Wheezy", these problems have been fixed in version
5.9.1-1+deb7u1.

We recommend that you upgrade your libonig packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 959-1] libical security update

Package : libical
Version : 0.48-2+deb7u1
CVE ID : CVE-2016-5824 CVE-2016-9584
Debian Bug : #860451, #852034

It was discovered that there was a use-after-free vulnerability in the libical
iCalendar library. Remote attackers could cause a denial of service and
possibly read heap memory via a specially crafted .ICS file.

For Debian 7 "Wheezy", this issue has been fixed in libical version
0.48-2+deb7u1.

We recommend that you upgrade your libical packages.

[DLA 960-1] imagemagick security update

Package : imagemagick
Version : 6.7.7.10-5+deb7u14
CVE ID : CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
CVE-2014-9841 CVE-2015-8900 CVE-2015-8901 CVE-2015-8902
CVE-2015-8903 CVE-2017-7941 CVE-2017-7943 CVE-2017-8343
CVE-2017-8344 CVE-2017-8345 CVE-2017-8346 CVE-2017-8347
CVE-2017-8348 CVE-2017-8349 CVE-2017-8350 CVE-2017-8351
CVE-2017-8352 CVE-2017-8353 CVE-2017-8354 CVE-2017-8355
CVE-2017-8356 CVE-2017-8357 CVE-2017-8765 CVE-2017-8830
CVE-2017-9098 CVE-2017-9141 CVE-2017-9142 CVE-2017-9143
CVE-2017-9144
Debian Bug : 767240 767240 768494 773834 860734 860736 862572 862574
862573 862575 862577 862578 862579 862587 862589 862590
862632 862633 862634 862635 862636 862653 862637 862967
863124 863125 863123 863126


This update fixes several vulnerabilities in imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure, or the execution of
arbitrary code if malformed PCX, DCM, JPEG, PSD, HDR, MIFF, PDB, VICAR,
SGI, SVG, AAI, MNG, EXR, MAT, SFW, JNG, PCD, XWD, PICT, BMP, MTV, SUN,
EPT, ICON, DDS, or ART files are processed.

For Debian 7 "Wheezy", these problems have been fixed in version
6.7.7.10-5+deb7u14.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 3864-1] fop security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3864-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 27, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : fop
CVE ID : CVE-2017-5661

It was discovered that an XML external entities vulnerability in the
Apache FOP XML formatter may result in information disclosure.

For the stable distribution (jessie), this problem has been fixed in
version 1:1.1.dfsg2-1+deb8u1.

For the upcoming stable distribution (stretch), this problem has been
fixed in version 1:2.1-6.

For the unstable distribution (sid), this problem has been fixed in
version 1:2.1-6.

We recommend that you upgrade your fop packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/