Debian 9858 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1611-1: libav security update
DLA 1611-2: libav security update

Debian GNU/Linux 9:
DSA 4356-1: netatalk security update
DSA 4357-1: libapache-mod-jk security update



DLA 1611-1: libav security update

Package : libav
Version : 6:11.12-1~deb8u2
CVE ID : CVE-2014-9317 CVE-2015-6761 CVE-2015-6818 CVE-2015-6820
CVE-2015-6821 CVE-2015-6822
CVE-2015-6825 CVE-2015-6826 CVE-2015-8216 CVE-2015-8217
CVE-2015-8363 CVE-2015-8364 CVE-2015-8661 CVE-2015-8662
CVE-2015-8663 CVE-2016-10190 CVE-2016-10191


Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library.

CVE-2014-9317

The decode_ihdr_chunk function in libavcodec/pngdec.c allowed remote
attackers to cause a denial of service (out-of-bounds heap access)
and possibly had other unspecified impact via an IDAT before an IHDR
in a PNG file. The issue got addressed by checking IHDR/IDAT order.

CVE-2015-6761

The update_dimensions function in libavcodec/vp8.c in libav relies on
a coefficient-partition count during multi-threaded operation, which
allowed remote attackers to cause a denial of service (race condition
and memory corruption) or possibly have unspecified other impact via
a crafted WebM file. This issue has been resolved by using
num_coeff_partitions in thread/buffer setup. The variable is not a
constant and can lead to race conditions.

CVE-2015-6818

The decode_ihdr_chunk function in libavcodec/pngdec.c did not enforce
uniqueness of the IHDR (aka image header) chunk in a PNG image, which
allowed remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via a crafted
image with two or more of these chunks. This has now been fixed by
only allowing one IHDR chunk. Multiple IHDR chunks are forbidden in
PNG.

CVE-2015-6820

The ff_sbr_apply function in libavcodec/aacsbr.c did not check for a
matching AAC frame syntax element before proceeding with Spectral
Band Replication calculations, which allowed remote attackers to
cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted AAC data. This has now been
fixed by checking that the element type matches before applying SBR.

CVE-2015-6821

The ff_mpv_common_init function in libavcodec/mpegvideo.c did not
properly maintain the encoding context, which allowed remote
attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted MPEG data. The
issue has been resolved by clearing pointers in ff_mpv_common_init().
This ensures that no stale pointers leak through on any path.

CVE-2015-6822

The destroy_buffers function in libavcodec/sanm.c did not properly
maintain height and width values in the video context, which allowed
remote attackers to cause a denial of service (segmentation violation
and application crash) or possibly have unspecified other impact via
crafted LucasArts Smush video data. The solution to this was to reset
sizes in destroy_buffers() in avcodec/sanm.c.

CVE-2015-6823

Other than stated in the debian/changelog file, this issue
has not yet been fixed for libav in Debian jessie LTS.

CVE-2015-6824

Other than stated in the debian/changelog file, this issue
has not yet been fixed for libav in Debian jessie LTS.

CVE-2015-6825

The ff_frame_thread_init function in libavcodec/pthread_frame.c
mishandled certain memory-allocation failures, which allowed remote
attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via a crafted file, as
demonstrated by an AVI file. Clearing priv_data in
avcodec/pthread_frame.c has resolved this and now avoids stale
pointer in error case.

CVE-2015-6826

The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c did
not initialize certain structure members, which allowed remote
attackers to cause a denial of service (invalid pointer access) or
possibly have unspecified other impact via crafted (1) RV30 or (2)
RV40 RealVideo data. This issue got addressed by clearing pointers in
ff_rv34_decode_init_thread_copy() in avcodec/rv34.c, which avoids
leaving stale pointers.

CVE-2015-8216

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg
omitted certain width and height checks, which allowed remote
attackers to cause a denial of service (out-of-bounds array access)
or possibly have unspecified other impact via crafted MJPEG data. The
issues have been fixed by adding a check for index to
avcodec/mjpegdec.c in ljpeg_decode_yuv_scan() before using it, which
fixes an out of array access.

CVE-2015-8217

The ff_hevc_parse_sps function in libavcodec/hevc_ps.c did not
validate the Chroma Format Indicator, which allowed remote attackers
to cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted High Efficiency Video
Coding (HEVC) data. A check of chroma_format_idc in avcodec/hevc_ps.c
has now been added to fix this out of array access.

CVE-2015-8363

The jpeg2000_read_main_headers function in libavcodec/jpeg2000dec.c
did not enforce uniqueness of the SIZ marker in a JPEG 2000 image,
which allowed remote attackers to cause a denial of service
(out-of-bounds heap-memory access) or possibly have unspecified other
impact via a crafted image with two or more of these markers. In
avcodec/jpeg2000dec.c a check for duplicate SIZ marker has been added
to fix this.

CVE-2015-8364

Integer overflow in the ff_ivi_init_planes function in
libavcodec/ivi.c allowed remote attackers to cause a denial of
service (out-of-bounds heap-memory access) or possibly have
unspecified other impact via crafted image dimensions in Indeo Video
Interactive data. A check of image dimensions has been added to the
code (in avcodec/ivi.c) that fixes this integer overflow now.

CVE-2015-8661

The h264_slice_header_init function in libavcodec/h264_slice.c did
not validate the relationship between the number of threads and the
number of slices, which allowed remote attackers to cause a denial of
service (out-of-bounds array access) or possibly have unspecified
other impact via crafted H.264 data. In avcodec/h264_slice.c now
max_contexts gets limited when slice_context_count is initialized.
This avoids an out of array access.

CVE-2015-8662

The ff_dwt_decode function in libavcodec/jpeg2000dwt.c did not
validate the number of decomposition levels before proceeding with
Discrete Wavelet Transform decoding, which allowed remote attackers
to cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via crafted JPEG 2000 data. In
avcodec/jpeg2000dwt.c a check of ndeclevels has been added before
calling dwt_decode*(). This fixes an out of array access.

CVE-2015-8663

The ff_get_buffer function in libavcodec/utils.c preserved width and
height values after a failure, which allowed remote attackers to
cause a denial of service (out-of-bounds array access) or possibly
have unspecified other impact via a crafted .mov file. Now,
dimensions get cleared in ff_get_buffer() on failure, which fixes
the cause for an out of array access.

CVE-2016-10190

A heap-based buffer overflow in libavformat/http.c allowed remote web
servers to execute arbitrary code via a negative chunk size in an
HTTP response. In libavformat/http.c the length/offset-related
variables have been made unsigned. This fix required inclusion of
two other changes ported from ffmpeg upstream Git (commits 3668701f
and 362c17e6).

CVE-2016-10191

Another heap-based buffer overflow in libavformat/rtmppkt.c allowed
remote attackers to execute arbitrary code by leveraging failure to
check for RTMP packet size mismatches. By checking for packet size
mismatched, this out of array access has been resolved.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u2.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1611-2: libav security update

Package : libav
Version : 6:11.12-1~deb8u3
CVE ID : CVE-2015-6822 CVE-2015-6823 CVE-2015-6824


Two more security issues have been corrected in the libav multimedia library. This is a follow-up announcement for DLA-1611-1.

CVE-2015-6823

The allocate_buffers function in libavcodec/alac.c did not initialize
certain context data, which allowed remote attackers to cause a
denial of service (segmentation violation) or possibly have
unspecified other impact via crafted Apple Lossless Audio Codec
(ALAC) data. This issues has now been addressed by clearing pointers
in avcodec/alac.c's allocate_buffers().

Other than stated in debian/changelog of upload 6:11.12-1~deb8u2,
this issue only now got fixed with upload of 6:11.12-1~deb8u3.

CVE-2015-6824

The sws_init_context function in libswscale/utils.c did not
initialize certain pixbuf data structures, which allowed remote
attackers to cause a denial of service (segmentation violation) or
possibly have unspecified other impact via crafted video data. In
swscale/utils.c now these pix buffers get cleared which fixes use of
uninitialized memory.

Other than stated in debian/changelog of upload 6:11.12-1~deb8u2,
this issue only now got fixed with upload of 6:11.12-1~deb8u3.

For Debian 8 "Jessie", these problems have been fixed in version
6:11.12-1~deb8u3.

We recommend that you upgrade your libav packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4356-1: netatalk security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4356-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : netatalk
CVE ID : CVE-2018-1160
Debian Bug : 916930

Jacob Baines discovered a flaw in the handling of the DSI Opensession
command in Netatalk, an implementation of the AppleTalk Protocol Suite,
allowing an unauthenticated user to execute arbitrary code with root
privileges.

For the stable distribution (stretch), this problem has been fixed in
version 2.2.5-2+deb9u1.

We recommend that you upgrade your netatalk packages.

For the detailed security status of netatalk please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/netatalk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/



DSA 4357-1: libapache-mod-jk security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4357-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 20, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libapache-mod-jk
CVE ID : CVE-2018-11759

Raphael Arrouas and Jean Lejeune discovered an access control bypass
vulnerability in mod_jk, the Apache connector for the Tomcat Java
servlet engine. The vulnerability is addressed by upgrading mod_jk to
the new upstream version 1.2.46, which includes additional changes.

https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.42_and_1.2.43
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.43_and_1.2.44
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.44_and_1.2.45
https://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html#Changes_between_1.2.45_and_1.2.46

For the stable distribution (stretch), this problem has been fixed in
version 1:1.2.46-0+deb9u1.

We recommend that you upgrade your libapache-mod-jk packages.

For the detailed security status of libapache-mod-jk please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/libapache-mod-jk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/