Debian 10158 Published by

The following updates has been released for Debian GNU/Linux:

Debian GNU/Linux 7 Extended LTS:
ELA-148-1: bind9 security update

Debian GNU/Linux 8 LTS:
DLA 1865-1: sdl-image1.2 security update

Debian GNU/Linux 9 and 10:
DSA 4489-1: patch security update



ELA-148-1: bind9 security update

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u23
Related CVE: CVE-2018-5743
A vulnerability was found in the Bind DNS Server. Limits on simultaneous tcp connections have not been enforced correctly and could lead to exhaustion of file descriptors. In the worst case this could affect the file descriptors of the whole system.

For Debian 7 Wheezy, these problems have been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u23.

We recommend that you upgrade your bind9 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

DLA 1865-1: sdl-image1.2 security update

Package : sdl-image1.2
Version : 1.2.12-5+deb9u2
CVE ID : CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635
CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219
CVE-2019-12220 CVE-2019-12221 CVE-2019-12222

The following issues have been found in sdl-image1.2, the 1.x version of the
image file loading library.

CVE-2018-3977

Heap buffer overflow in IMG_xcf.c. This vulnerability might be leveraged by
remote attackers to cause remote code execution or denial of service via a
crafted XCF file.

CVE-2019-5051

Heap based buffer overflow in IMG_LoadPCX_RW, in IMG_pcx.c. This
vulnerability might be leveraged by remote attackers to cause remote code
execution or denial of service via a crafted PCX file.

CVE-2019-5052

Integer overflow and subsequent buffer overflow in IMG_pcx.c. This
vulnerability might be leveraged by remote attackers to cause remote code
execution or denial of service via a crafted PCX file.

CVE-2019-7635

Heap buffer overflow affecting Blit1to4, in IMG_bmp.c. This vulnerability
might be leveraged by remote attackers to cause denial of service or any
other unspecified impact via a crafted BMP file.

CVE-2019-12216,
CVE-2019-12217,
CVE-2019-12218,
CVE-2019-12219,
CVE-2019-12220,
CVE-2019-12221,
CVE-2019-12222

Multiple out-of-bound read and write accesses affecting IMG_LoadPCX_RW, in
IMG_pcx.c. These vulnerabilities might be leveraged by remote attackers to
cause denial of service or any other unspecified impact via a crafted PCX
file.

For Debian 8 "Jessie", these problems have been fixed in version
1.2.12-5+deb9u2.

We recommend that you upgrade your sdl-image1.2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4489-1: patch security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4489-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 27, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : patch
CVE ID : CVE-2019-13636 CVE-2019-13638
Debian Bug : 932401 933140

Imre Rad discovered several vulnerabilities in GNU patch, leading to
shell command injection or escape from the working directory and access
and overwrite files, if specially crafted patch files are processed.

This update includes a bugfix for a regression introduced by the patch
to address CVE-2018-1000156 when applying an ed-style patch (#933140).

For the oldstable distribution (stretch), these problems have been fixed
in version 2.7.5-1+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 2.7.6-3+deb10u1.

We recommend that you upgrade your patch packages.

For the detailed security status of patch please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/patch

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/