Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0060 t1lib security update 16 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: t1lib Publisher: Debian Operating System: Debian GNU/Linux 5 Debian GNU/Linux 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2011-1554 CVE-2011-1553 CVE-2011-1552 CVE-2011-0764 CVE-2011-0433 CVE-2010-2642 Reference: ESB-2011.1274 ESB-2011.1193 ESB-2011.0381 ESB-2011.0374 ESB-2011.0018 Original Bulletin: http://www.debian.org/security/2012/dsa-2388 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2388-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez January 14, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : t1lib Vulnerability : several Problem type : local Debian-specific: no CVE ID : CVE-2010-2642 CVE-2011-0433 CVE-2011-0764 CVE-2011-1552 CVE-2011-1553 CVE-2011-1554 Debian Bug : 652996 Several vulnerabilities were discovered in t1lib, a Postscript Type 1 font rasterizer library, some of which might lead to code execution through the opening of files embedding bad fonts. CVE-2010-2642 A heap-based buffer overflow in the AFM font metrics parser potentially leads to the execution of arbitrary code. CVE-2011-0433 Another heap-based buffer overflow in the AFM font metrics parser potentially leads to the execution of arbitrary code. CVE-2011-0764 An invalid pointer dereference allows execution of arbitrary code using crafted Type 1 fonts. CVE-2011-1552 Another invalid pointer dereference results in an application crash, triggered by crafted Type 1 fonts. CVE-2011-1553 A use-after-free vulnerability results in an application crash, triggered by crafted Type 1 fonts. CVE-2011-1554 An off-by-one error results in an invalid memory read and application crash, triggered by crafted Type 1 fonts. For the oldstable distribution (lenny), this problem has been fixed in version 5.1.2-3+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 5.1.2-3+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 5.1.2-3.3. For the unstable distribution (sid), this problem has been fixed in version 5.1.2-3.3. We recommend that you upgrade your t1lib packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJPEqtaAAoJEL97/wQC1SS++s4H/1V+Q5spiTcrjuLqFrwyljqz YtEtm2jVuZKNJwXmntLA3hpyO6cAbw7yZVfimcJagGb7Vc8PkeCR4L+U7Hl7FGk2 4QELdzlMYeM7bJdchBmrmrv0Jd7jhqAek4MMO2gMJyaNxDwnjvWpjWtf1wYzPlJ5 3kopGxF0nKf47IsFd6fFwu5mkCl+RwhG5b0JVuyPYqxr2ir64iS3rcMIxCS3yBOc IgYhNwNW+WQaJP5MwXelLnzkKJJGmugk9SrLaazVlIRGOXu34RZfziByxbQQQCF6 jGKm2L9ZcWfkDBHsoldEyP1J3WQLNUEqyxzLEib78D/28jEiuAu0GWNCkE+sO78= =uEYD - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTxNl/+4yVqjM2NGpAQJWJQ//ZBma4IzSAX2iUiIq1y2+/6SbYIQUG8RU XKnXCZRMxhR0HWb/A1KXcXqHzq7lB18W4AWWl2w3T2ho05RvgKbj2wPvoX4AHKzj uLB2bEwf9pRhzFFC+V3Qzb3NbR1Y3bOcO+v/TJnStYa3Ri2UTd+oYT1mPvyCvaQC XFYQ7cGqpigOOkwUACXAx94f0I/sOqri5cqO8WnzYyBSMFq7cU/+luk6/kyfIxuK sz+a63oS6xxk7U463f/XzwovIbOp7Qhf7qNlx7rZp5RCS/j9L3Z+iLvJnDZjElmL YkwLZ8xsHafhsacMHFAQGyNdwGclfLdjpHOhQGdQOolRA2Tv2zWviF0jjUnlmwa9 yI/VNat2zQJtSuM/Qub85CCuu9oQWFGC7GJFPOyiDYHHB6a7cOOGwVe27WUK7xRl YkrpBHtC9UxJs1op+vvRJBhzjtbxIEaoqR/vNdjTQJ0HVPBXqd8rIbKhtovc6GN7 A/oMceGbfaCStm4lwSbJJkrHcubqNEALUP6yUXFwmWYwjD27HHcqUmI42dFMSU6w K4X3b1UjHO6r9cY+clQUAO4nnESKJpD7PZ7GzYaCFW0aFZ/N+5zrjw2Vd/FuA54i qHThHLFpgfZn4una/r7NwYa/Eu/uq01vszRF2ZlwV34e7fESPASpXBKmwkI5pchY YykBsqd/ra8= =H7WP -----END PGP SIGNATURE-----