Debian 9844 Published by

The following updates has been released for Debian 8:

[DSA 3562-1] tardiff security update
[DSA 3563-1] poppler security update



[DSA 3562-1] tardiff security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3562-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
May 01, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tardiff
CVE ID : CVE-2015-0857 CVE-2015-0858

Several vulnerabilities were discovered in tardiff, a tarball comparison
tool. The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2015-0857

Rainer Mueller and Florian Weimer discovered that tardiff is prone
to shell command injections via shell meta-characters in filenames
in tar files or via shell meta-characters in the tar filename
itself.

CVE-2015-0858

Florian Weimer discovered that tardiff uses predictable temporary
directories for unpacking tarballs. A malicious user can use this
flaw to overwrite files with permissions of the user running the
tardiff command line tool.

For the stable distribution (jessie), these problems have been fixed in
version 0.1-2+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 0.1-5 and partially in earlier versions.

We recommend that you upgrade your tardiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[DSA 3563-1] poppler security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3563-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
May 01, 2016 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : poppler
CVE ID : CVE-2015-8868

It was discovered that a heap overflow in the Poppler PDF library may
result in denial of service and potentially the execution of arbitrary
code if a malformed PDF file is opened.

For the stable distribution (jessie), this problem has been fixed in
version 0.26.5-2+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 0.38.0-3.

For the unstable distribution (sid), this problem has been fixed in
version 0.38.0-3.

We recommend that you upgrade your poppler packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/