[SECURITY] [DLA 789-1] icoutils security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 789-1] icoutils security update
From: Ola Lundqvist <opal@debian.org>
Date: Tue, 17 Jan 2017 22:22:43 +0100
Message-id: <[🔎] 20170117212239.GA9542@inguza.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : icoutils
Version        : 0.29.1-5deb7u1
CVE ID         : CVE-2017-5208 CVE-2017-5331 CVE-2017-5332 CVE-2017-5333
Debian Bug     : 850017


Brief introduction 

CVE-2017-5208

    Choongwoo Han reported[0] an exploitable crash in wrestool from
    icoutils. The command line tools is e.g. used in KDE's
    metadataparsing.

CVE-2017-5331

    It turned out that the correction for CVE-2017-5208 was not enough
    so an additional correction was needed.

CVE-2017-5332

    But as I see it there are still combinations of the arguments which
    make the test succeed even though the the memory block identified by
    offset size is not fully inside memory total_size.

CVE-2017-5333

    The memory check was not stringent enough on 64 bit systems.

For Debian 7 "Wheezy", these problems have been fixed in version
0.29.1-5deb7u1.

We recommend that you upgrade your icoutils packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
 -------------- Ola Lundqvist --------------------
/  opal@debian.org       GPG fingerprint          \
|  ola@inguza.com        22F2 32C6 B1E0 F4BF 2B26 |
|  http://inguza.com/    0A6A 5E90 DCFA 9426 876F /
 -------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJYfosfAAoJEF6Q3PqUJodvDXoP/2zEnTaABMB9aPkCf65KuN2b
uPH9C96U2Fs04qYeR7D4unxHCII/KtnaFQ6TJ0w09Yw2ElAAGnwJngrIrAOJt7HJ
ZAzSm5FS9UfS2/GpoH9sMF2s0wYThaT3w/nLNbC9+K8zYr0zRnTD/ZMboS5BpaWs
1IwaJamvyy4tLz8RBgfzzqovZXDJvzoIRp2Imub3eP2Nge71eH0ygACFXzKLdH4d
nMkKFeeyaGWIdRmL48XfXcRBnq8zL68t5QKpO0TjdFC66QN/0032OYGmt8P4WbDT
3K56GsjdY1PipJnBOjsu4lMCE99jp7bU6ZQTR2m/C4MaYpWZqqgGTT4fOlUk1BaB
0Fj8+w3aCSnQz1g7JsRincEBP5Sju85nTPFb9ZqKKkzti3kb6NYD+OSlOQysq8QO
Y7gWDdwoUb5qh5aRyR+CTXczEAmmQsxH40ZV2V+A7CTp9qZCmxo1hZECcfUaSkZA
ml7ZT6H3NuF7QPXHWOXuaJpF3F5Tco/3lQ9gCwDZg2TCqCnwg3aApxbKQvoqR6Eo
1xPY9yuMRPhqWGEKpyVLwatU/HnyOECx665EiumVFCzzkcWlVpg8BpGuQgO4uh28
PXowlxHmrWvCta5z+Z64ir5efOyonD1XZX4Sl3LycJL1LfvylfV9jc9ZJPkCVJ4k
t0q9Ao7MxbyvvwpyVFZI
=I8ic
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 788-1] pdns-recursor security update
Next by Date: [SECURITY] [DLA 791-1] libav security update
Previous by thread: [SECURITY] [DLA 788-1] pdns-recursor security update
Next by thread: [SECURITY] [DLA 791-1] libav security update
Index(es):
- Date
- Thread