Debian 10166 Published by

The following updates for Debian GNU/Linux has been released:

[DLA 220-1] dpkg security update
[DLA 221-1] tiff security update
[DSA 3261-1] libmodule-signature-perl security update



[DLA 220-1] dpkg security update

Package : dpkg
Version : 1.15.12
CVE ID : CVE-2015-0840
Debian Bug : 617923 695919

Jann Horn discovered that the source package integrity verification in
dpkg-source can be bypassed via a specially crafted Debian source
control file (.dsc). Note that this flaw only affects extraction of
local Debian source packages via dpkg-source but not the installation of
packages from the Debian archive.

For the oldoldstable distribution (squeeze), this problem has been
fixed in version 1.15.12. This also fixes a similar bug discovered
by Ansgar Burchardt and a bug in the same area discovered by Roger
Leigh.

For the oldstable distribution (wheezy), this problem was fixed in
version 1.16.16.

The stable distribution (jessie) was not affected by this problem as
it was fixed before release.

[DLA 221-1] tiff security update

Package : tiff
Version : 3.9.4-5+squeeze12
CVE ID : CVE-2014-8128 CVE-2014-8129 CVE-2014-9330 CVE-2014-9655
Debian Bug : 773987

Several vulnerabilities have been discovered in the LibTIFF library
and utilities for the Tag Image File Format. These could lead to a
denial of service, information disclosure or privilege escalation.

CVE-2014-8128

William Robinet discovered that out-of-bounds writes are triggered
in several of the LibTIFF utilities when processing crafted TIFF
files. Other applications using LibTIFF are also likely to be
affected in the same way.

CVE-2014-8129

William Robinet discovered that out-of-bounds reads and writes are
triggered in tiff2pdf when processing crafted TIFF files. Other
applications using LibTIFF are also likely to be affected in the same
way.

CVE-2014-9330

Paris Zoumpouloglou discovered that out-of-bounds reads and writes are
triggered in bmp2tiff when processing crafted BMP files.

CVE-2014-9655

Michal Zalewski discovered that out-of-bounds reads and writes are
triggered in LibTIFF when processing crafted TIFF files.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 3.9.4-5+squeeze12.

For the oldstable distribution (wheezy), these problems will be fixed
soon.

The stable distribution (jessie) was not affected by these problems as
they were fixed before release.

[DSA 3261-1] libmodule-signature-perl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3261-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
May 15, 2015 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libmodule-signature-perl
CVE ID : CVE-2015-3406 CVE-2015-3407 CVE-2015-3408 CVE-2015-3409
Debian Bug : 783451

Multiple vulnerabilities were discovered in libmodule-signature-perl, a
Perl module to manipulate CPAN SIGNATURE files. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-3406

John Lightsey discovered that Module::Signature could parses the
unsigned portion of the SIGNATURE file as the signed portion due to
incorrect handling of PGP signature boundaries.

CVE-2015-3407

John Lightsey discovered that Module::Signature incorrectly handles
files that are not listed in the SIGNATURE file. This includes some
files in the t/ directory that would execute when tests are run.

CVE-2015-3408

John Lightsey discovered that Module::Signature uses two argument
open() calls to read the files when generating checksums from the
signed manifest. This allows to embed arbitrary shell commands into
the SIGNATURE file that would execute during the signature
verification process.

CVE-2015-3409

John Lightsey discovered that Module::Signature incorrectly handles
module loading, allowing to load modules from relative paths in
@INC. A remote attacker providing a malicious module could use this
issue to execute arbitrary code during signature verification.

Note that libtest-signature-perl received an update for compatibility
with the fix for CVE-2015-3407 in libmodule-signature-perl.

For the oldstable distribution (wheezy), these problems have been fixed
in version 0.68-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in
version 0.73-1+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 0.78-1.

For the unstable distribution (sid), these problems have been fixed in
version 0.78-1.

We recommend that you upgrade your libmodule-signature-perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/