[DLA 4142-1] libraw security update
[DLA 4143-1] glibc security update
[SECURITY] [DLA 4142-1] libraw security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4142-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
April 29, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libraw
Version : 0.20.2-1+deb11u2
CVE ID : CVE-2025-43961 CVE-2025-43962 CVE-2025-43963 CVE-2025-43964
Debian Bug : 1103781 1103782 1103783
LibRaw is a library for reading RAW files obtained from digital photo cameras
(CRW/CR2, NEF, RAF, DNG, and others).
CVE-2025-43961
metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag
parser.
CVE-2025-43962
phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for
tag 0x412 processing, related to large w0 or w1 values or the frac and mult
calculations.
CVE-2025-43963
phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access
because split_col and split_row values are not checked in 0x041f tag
processing.
CVE-2025-43964
tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does
not enforce minimum w0 and w1 values.
For Debian 11 bullseye, these problems have been fixed in version
0.20.2-1+deb11u2.
We recommend that you upgrade your libraw packages.
For the detailed security status of libraw please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libraw
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4143-1] glibc security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4143-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
April 30, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : glibc
Version : 2.31-13+deb11u12
CVE ID : CVE-2025-0395
A flaw was discovered in the implementation of the assert() function in
the GNU C Library, the C standard library implementation used by Debian.
When the assertion fails, the implementation does not allocate enough
space for the assertion failure message string and size information,
which may lead to a buffer overflow if the message string size aligns to
page size.
For Debian 11 bullseye, this problem has been fixed in version
2.31-13+deb11u12.
We recommend that you upgrade your glibc packages.
For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
