-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1018
                          imlib2 security update
                               26 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           imlib2
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-4024 CVE-2016-3994 CVE-2016-3993
                   CVE-2014-9771 CVE-2011-5326 

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3555

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running imlib2 check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3555-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
April 23, 2016                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : imlib2
CVE ID         : CVE-2011-5326 CVE-2014-9771 CVE-2016-3993 CVE-2016-3994
                 CVE-2016-4024
Debian Bug     : 639414 785369 819818 820206 821732

Several vulnerabilities were discovered in imlib2, an image manipulation
library.

CVE-2011-5326

    Kevin Ryde discovered that attempting to draw a 2x1 radi ellipse
    results in a floating point exception.

CVE-2014-9771

    It was discovered that an integer overflow could lead to invalid
    memory reads and unreasonably large memory allocations.

CVE-2016-3993

    Yuriy M. Kaminskiy discovered that drawing using coordinates from
    an untrusted source could lead to an out-of-bound memory read, which
    in turn could result in an application crash.

CVE-2016-3994

    Jakub Wilk discovered that a malformed image could lead to an
    out-of-bound read in the GIF loader, which may result in an
    application crash or information leak.

CVE-2016-4024

    Yuriy M. Kaminskiy discovered an integer overflow that could lead to
    an insufficient heap allocation and out-of-bound memory write.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.4.5-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in
version 1.4.6-2+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.8-1.

We recommend that you upgrade your imlib2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXG/nbAAoJEK+lG9bN5XPLmygP/1YrypjqRVSwpNfiPHUbPuSg
kFhMouzCPFztDKCDf5EQYnajZ7u74zyyRVtR4DBOjIOiXQR4PlT5bcyBCkEuO8zp
HQQiRSWbErCJEnT93ryjOIE0Weql5kMWEXzN8Gucr8WLwOd8IK5mBfJ6ROnBnsuY
1YRxuRt/FScfER70irZcSZagQqcifWPnmNw7s4qXrRkxoAvmq+AM9EtXQEnvNvtE
O2fUlD5RLHWnkNpxAu11dwbvkEOpDVBaYj21TDsYyb1OzUxt9DL5VgGr7Fli/5H4
BJE8G7jbVZQ5OaRD2vkXIrV1+6vczIFk+vrqxOqq8lwK/SNvpyjVIty1guPcX3TR
pCk2v3hHBUg4bL2EEo2Qt6KsZNLvcFFWeSs8690Y2cXLh72AiIzZavwqUybIH2nd
SljzD64QCM6uJHLnMwDxVum1h2ma1LUGp9Y6BMar09AwEG66H6N+7vUtuKmQBfDF
c5L5fMwjC3Xe6ByQAK71gqzsfSdfAweztYm2n5n//fakhv6OINOAaIvQPv2KnTgA
MzqOxc1If+HYgaVYnzkwBBpJWTu3oVqwQqkyq7D40Bf7SK5VN37m7jLsYCKIRC1M
MA/u+QNFlAVbAq0o6ghlNFspcnF+JAdXOjiCrxK8xNwyXsKfJomIvhG1iDtYOMse
XMipF2mhl3pe4KdFauUE
=+2Hm
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVx7FcH6ZAP0PgtI9AQJmSBAAwkS0L0dUxwQDuWiqcGYTczmb2af6wrcm
GEzGOvLCK35aH2uYe7+78oNyGC5c9z8RmtIZCIQVIBugmRBugc00Tg9is4qJsUGt
yitI5KBADLL/tIshouF7nB5sEUgGL77/xm+CZb+8Je6mh3dS3POmDlY8gAcwgnDF
26km27ZqkGIV8iUll9yNhhEHM2UJdTI23zPYpAw5BSCrqdWv4h5U0ieoNvjiWuYA
Dp8XCQO8iXWaashzNTljoZa62IoAt/gH4+6u4YqBH6U0nW48aEZHFmVfuAnd49X6
wO0JCYf0nBT+6qfbCr2351itaechCPJofTmA//ken25v9ko6dDvdw4o4rN1OvhHt
i4ZBuNEfeeOG/HmUyVNqmaAkbTOKdh2yZcE8IYlNq2DDPd5gKMlsU0GGJgd/ZzL6
Kc2LKvPclAlbZ27xcKjLtohEEzFjhKPmMJbggEN5ih13gS2TyyMXqi5ojni2dg7X
IUt6JqJ+n+02tw16THPWtw4XZcVM4lZB/tw5rxn/6PdpLmf7u7JkdBKdqYLVLg73
OjYSpqBo5KOC9vFWtlTgjLGkWdZ2vUGehoQ9yDbvLobLIZxjaJ8fNH85qTClh8u3
7ScyeQRYQIdKZajaJFBnft5hPYZBODjs6byg1sLibfbSuJcGU+XUeIt4ZEYjhY00
B7T3mB+bzls=
=EfYG
-----END PGP SIGNATURE-----