Debian 9858 Published by

The following updates has been released for Debian 7 LTS:

[DLA 675-1] potrace security update
[DLA 680-1] bash security update
[DLA 681-1] tzdata new upstream version
[DLA 682-1] libdatetime-timezone-perl new upstream version
[DLA 683-1] graphicsmagick security update
[DLA 684-1] libx11 security update
[DLA 685-1] libxi security update
[DLA 686-1] libxtst security update



[DLA 675-1] potrace security update

Package : potrace
Version : 1.10-1+deb7u1
CVE ID : CVE-2013-7437 CVE-2016-8694 CVE-2016-8695
CVE-2016-8696 CVE-2016-8697 CVE-2016-8698
CVE-2016-8699 CVE-2016-8700 CVE-2016-8701
CVE-2016-8702 CVE-2016-8703
Debian Bug : #778646

Multiple vulnerabilities have been found in potrace.

CVE-2013-7437

Multiple integer overflows in potrace 1.11 allow remote attackers
to cause a denial of service (crash) via large dimensions in a BMP
image, which triggers a buffer overflow.
This bug was reported by Murray McAllister of the Red Hat
Security Response Team.

CVE-2016-8694
CVE-2016-8695
CVE-2016-8696

Multiple NULL pointer dereferences in bm_readbody_bmp.
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE-2016-8697

Division by zero in bm_new.
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE-2016-8698
CVE-2016-8699
CVE-2016-8700
CVE-2016-8701
CVE-2016-8702
CVE-2016-8703

Multiple heap-based buffer overflows in bm_readbody_bmp.
This bug was discovered by Agostino Sarubbo of Gentoo.

For Debian 7 "Wheezy", these problems have been fixed in version
1.10-1+deb7u1.

We recommend that you upgrade your potrace packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 680-1] bash security update

Package : bash
Version : 4.2+dfsg-0.1+deb7u3
CVE ID : CVE-2016-7543

An old attack vector has been corrected in bash, a sh-compatible
command language interpreter.

CVE-2016-7543
Specially crafted SHELLOPTS+PS4 environment variables in combination
with insecure setuid binaries can result in root privilege
escalation.

The setuid binary had to both use setuid() function call in
combination with a system() or popen() function call. With this
combination it is possible to gain root access.

I addition bash have to be the default shell (/bin/sh have to point
to bash) for the system to be vulnerable.

The default shell in Debian is dash and there are no known setuid
binaries in Debian with the, above described, insecure combination.

There could however be local software with the, above described,
insecure combination that could benefit from this correction.

For Debian 7 "Wheezy", this problem have been fixed in version
4.2+dfsg-0.1+deb7u3.

We recommend that you upgrade your bash packages.

If there are local software that have the insecure combination and
do a setuid() to some other user than root, then the update will not
correct that problem. That problem have to be addressed in the
insecure setuid binary.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 681-1] tzdata new upstream version

Package : tzdata
Version : 2016h-0+deb7u1

This update includes the changes in tzdata up to 2016h. Notable
changes are:

- Asia/Gaza and Asia/Hebron (DST ending on 2016-10-29 at 01:00,
not 2016-10-21 at 00:00).
- Europe/Istanbul switch from EET/EEST (+02/+03) to permanent +03 on
2016-09-07. While the timezone has changed, the divergence from
EET/EEST will happen on 2016-10-30.
- Turkey switched from EET/EEST (+02/+03) to permanent +03,
effective 2016-09-07.
- New leap second 2016-12-31 23:59:60 UTC as per IERS Bulletin C 52.

For Debian 7 "Wheezy", these problems have been fixed in version
2016h-0+deb7u1.

We recommend that you upgrade your tzdata packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 682-1] libdatetime-timezone-perl new upstream version

Package : libdatetime-timezone-perl
Version : 1:1.58-1+2016h

This update includes the changes in tzdata up to 2016h for the
Perl bindings. For the list of changes, see DLA-681-1.

For Debian 7 "Wheezy", these problems have been fixed in version
1:1.58-1+2016h.

We recommend that you upgrade your libdatetime-timezone-perl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 683-1] graphicsmagick security update

Package : graphicsmagick
Version : 1.3.16-1.1+deb7u5
CVE ID : CVE-2016-7448 CVE-2016-7996 CVE-2016-7997 CVE-2016-8682
CVE-2016-8683 CVE-2016-8684

Several vulnerabilities have been found in the graphicsmagick package
that may lead to denial of service through failed assertions, CPU or
memory usage. Some vulnerabilities may also lead to code execution but
no exploit is currently known.

CVE-2016-7448

Utah RLE: Reject truncated/absurd files which caused huge memory
allocations and/or consumed huge CPU

CVE-2016-7996

missing check that the provided colormap is not larger than 256
entries resulting in potential heap overflow

CVE-2016-7997

denial of service via a crash due to an assertion

CVE-2016-8682

stack-based buffer overflow in ReadSCTImage (sct.c)

CVE-2016-8683

memory allocation failure in ReadPCXImage (pcx.c)

CVE-2016-8684

memory allocation failure in MagickMalloc (memory.c)

For Debian 7 "Wheezy", these problems have been fixed in version
1.3.16-1.1+deb7u5.

We recommend that you upgrade your graphicsmagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


[DLA 684-1] libx11 security update

Package : libx11
Version : 2:1.5.0-1+deb7u3
CVE ID : CVE-2016-7942 CVE-2016-7943
Debian Bug : 840439

Tobias Stoeckmann from the OpenBSD project discovered the following
vulnerability in libX11, the X11 client-side library:

Insufficient validation of data from the X server
can cause out of boundary memory read (XGetImage())
or write (XListFonts()).

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.5.0-1+deb7u3.

We recommend that you upgrade your libx11 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 685-1] libxi security update

Package : libxi
Version : 2:1.6.1-1+deb7u2
CVE ID : CVE-2016-7945 CVE-2016-7946
Debian Bug : 840440

Tobias Stoeckmann from the OpenBSD project discovered the following
vulnerability in libXi, the X11 input extension library:

Insufficient validation of data from the X server
can cause out of boundary memory access or
endless loops (Denial of Service).

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.6.1-1+deb7u2.

We recommend that you upgrade your libxi packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[DLA 686-1] libxtst security update

Package : libxtst
Version : 2:1.2.1-1+deb7u2
CVE ID : CVE-2016-7951 CVE-2016-7952
Debian Bug : 840444

Tobias Stoeckmann from the OpenBSD project discovered the following
vulnerability in libXtst, the X Record extension:

Insufficient validation of data from the X server
can cause out of boundary memory access or
endless loops (Denial of Service).

For Debian 7 "Wheezy", these problems have been fixed in version
2:1.2.1-1+deb7u2.

We recommend that you upgrade your libxtst packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS