[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS report for December 2023

During the month of December 2023 and on behalf of Freexian, I worked on the


Uploaded 6.1+20181013-2+deb10u5 and issued DLA-3682-1

  * CVE-2021-39537: The tic(1) utility was susceptible to a
    heap overflow on crafted input due to improper bounds checking.
  * CVE-2023-29491: Local users could trigger security-relevant memory
    corruption via crafted terminfo database file.
    ncurses now further restricts programs running with elevated
    privileges (setuid/setgid programs).  This change aligns ncurses'
    behavior in buster-security with that of Bullseye's latest point
    release (6.2+20201114-2+deb11u2).


Uploaded 1.3.17+dfsg.1-1~deb10u5 and issued DLA-3683-1

  * CVE-2023-47272: cross-site scripting (XSS) vulnerability via a
    Content-Type or Content-Disposition header (used for attachment
    preview or download).
    1.3.x is no longer supported upstream and the code has changed quite a
    lot in 1.4.x, so I ended up backporting the entire download_headers()


Uploaded 3.2.4-1+deb10u12 and issued DLA-3691-1

Backported upstream security fixes from 4.1.10 and 4.1.11.  No CVEs have
been assigned for these vulnerabilities yet.


Uploaded 2.6.2-4+deb10u2 and issued DLA-3701-1

  * CVE-2023-34194: Reachable assertion (and application exit) via a
    crafted XML document with a '\0' located after whitespace.
    tinyxml has been abandoned upstream so I wrote the patch myself.
    Fortunately in this case the fix turned out to be simple.
  * After looking at the researchers' report, I concluded that other
    CVEs (CVE-2023-40462 and CVE-2023-40458) were duplicates for another
    product *using* tinyxml.

Also, uploaded 2.6.2-6.1 to sid after consultation with the maintainer,
and submitted the patch to the Security Team for bullseye and bookworm
which have the same upstream version 2.6.2.


Uploaded 0.6500-1+deb10u1 and issued DLA-3702-1

  * CVE-2023-7101: Improper directive sanitation dynamically evaluated
    code could lead to the execution of arbitrary code by using specially
    crafted Number format strings within XLS and XLSX files.


Uploaded 3.2.2+debian-1+deb10u2 and issued DLA-3704-1

  * CVE-2023-37536: Integer overflow via crafted .xsd files,
    which can lead to out-of-bounds access.
  * While reviewing the upstream history I discovered that
    CVE-2018-1311 was recently fixed upstream in 3.2.5, so replaced the
    previous mitigation patch (which introduced a memory leak) with that
    upstream vetted fix.

Also, uploaded 3.2.4+debian-1.1 to sid after consultation with the
maintainer, and submitted a debdiff (targeting bullseye) to the Security
Team with the aforementioned fixes.


Uploaded 1.4.2-0.1+deb10u2 and issued DLA-3705-1

  * CVE-2023-29197: Improper header parsing which may lead to
    information disclosure or authorization bypass via crafted requests.
    (This is a follow-up to CVE-2022-24775 where the fix was incomplete.)
    Ended up backporting assertHeader() and its call sites, which had been
    omitted in 1.4.2-0.1+deb10u1.

Thanks to the sponsors for financing the above, and to Freexian for

Attachment: signature.asc
Description: PGP signature

Reply to: