Operating System:

[Debian]

Published:

25 November 2016

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2804
                    gst-plugins-good1.0 security update
                             25 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gst-plugins-good1.0
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-9636 CVE-2016-9635 CVE-2016-9634

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3723
   http://www.debian.org/security/2016/dsa-3724

Comment: This bulletin contains two (2) Debian security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3723-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 24, 2016                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-plugins-good1.0
CVE ID         : CVE-2016-9634 CVE-2016-9635 CVE-2016-9636
Debian Bug     : 845375

Chris Evans discovered that the GStreamer 1.0 plugin used to decode
files in the FLIC format allowed execution of arbitrary code. Further
details can be found in his advisory at
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html

For the stable distribution (jessie), these problems have been fixed in
version 1.4.4-2+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 1.10.1-2.

We recommend that you upgrade your gst-plugins-good1.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlg3Tq5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QYWw/+NwWqq40l6EDunwTnyjTek4DSkya7e07RQnLnu/mfkRz4HpNy5fe1DmOQ
IsNqmx0VUVNWIV0YHHKmB3j7eTAJrESMECyrYM7MlMm5q/ZOn/ofY7cFWkg026nF
zCmXp18iHSdQOdUQ3FikCE6kUq6eunLJXbn2y2FvEDabFMMjZ7cco2NMGlLB5a7r
a3GiA8dQflUQrVxjs9eOKR/wLuA4Bj/6ZdLIqYilcLKvf5DhGgbJrO55JmL4rIvn
68uflKPzJUClPQY/c1JW3CaYnJtzpp3ILsGQM20JJHPry+dqXqDr3JxKmAiEQ9Wn
eB1LcNMDP8Hw2vgZYjO3HcgK/liqmM+brQuRBN1Cefqj5X+HXm09ZmMPv3rbov8V
P5FpO6cEkG7BG3vQrbMZ25dvf6r0YVFyInf+RhZB/xWImULBH8n6z5qB0wE8eqpF
Ac9ZvVLgabQi3RQKQaTO5UM0X85o7BQz4yKvKZfjmbHaAkCHyIaVqzn9PQpF4yfJ
ATTW8MPQMfMcX4gGrMf6oZ4clQQDD73T9ly8QKWh41iPTGk6PB22jyKuzprnMtZ6
Cno4qbUCGbpRC3s/NyUhhf8mK1/xLUJSQ4djH2Mvl8ptdXRySFDqaocg3lMrSO7h
it1tivX6fu54Js4MDPdtlnzKusr84siiYfO1ivc6T/8m/VjBTLE=
=Sds7
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3724-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 24, 2016                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gst-plugins-good0.10
CVE ID         : CVE-2016-9634 CVE-2016-9635 CVE-2016-9636

Chris Evans discovered that the GStreamer 0.10 plugin used to decode
files in the FLIC format allowed execution of arbitrary code. Further
details can be found in his advisory at
https://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-advancing-exploitation.html

This update removes the insecure FLIC file format plugin.

For the stable distribution (jessie), these problems have been fixed in
version 0.10.31-3+nmu4+deb8u2.

We recommend that you upgrade your gst-plugins-good0.10 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlg3TrlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Qb6g//fHx99MaMNoN8tfgNT82r3HnM2laUnQotz/vZTtULfjSSVlN8GtyOMf3B
/LpY+y990RGL1hJER059CC8vYCYCAk+u3YGW9TeI2WVopziz7YFLlXoToVQFqnBG
caADdzZeme6XEzyOYYCuKEPElzmMeghVDZOOFHT/OGNQsdf47fpSO0nOmvn0LbP9
poclY/0IJHv4JfZ/HD46e/VWV1BGMMJKlgL2d3Ll3+sz2i508VK0fJHYPVWMO8Ln
n4xlde8qTUmytHmW9TIpcKjq2zDcHkJBf6575Z5JZ4OWu9yauV5MsSohU2GqBZzW
5vRWEH60lzBEjlVCdadrsei+56ke0rWRr+ZJE9UPnwdyTZO9nQpcu6Nbu+RsSvg5
rvba8efJWhIUWTpmzbHxWAcaeHytvS5QZIlFlt4G/ujYpaOQ0QIgpuiw/OY1SN5R
visCnIuEG52jzmLYM1a1YC+GGElYCcwq4Uv1v9ZDDaHcOYi+uHxFDm+Yji6Jkd3M
NCrx/GcXB6WatuCd3JduJUenkAHMfKcasJ1O/k9YXFodcBKuHvnYO+q+bE3OKL76
jZyPSz49k5suPyD+NC4YKYQaI90jl+baK8P9yaXrWTXLip9SX04U9D5J3M616tkh
3ud0W9jZ/OHUufnkr1g5PTkEbNsDItq3tPbni46AAxGyT+y8vXg=
=RpfC
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWDd7vIx+lLeg9Ub1AQj+Hw/8DemmSQ+yIG/zJPJo5ArTpFsxkJyKQl9s
qpfOv4GMEyEy7EhXvy3GdvRLgxmD33LX4Y5ntxQjblOJtcuT9IUhYrvKfTAl5zDD
bboEu0Bb4WbgoK7bKTWVyW5rwGtTKIYZPwxxh02llNKXvByh+aGVt2pE82E4EZx3
lFHIJ1CYUL4iEA6RVkLbuKlGcbFFpieJdnMn4j15qLV+ZEhc7RiqWYIaETxzIpCO
7kJxcHuIDX6SD9+fmrl4oFl//fHdzQSrm6HBq2mlGs08dTF2EpyikFF3ELvZ57qw
y0LgTyLFBm3fF3KiA/9eB+9fdXgr6l9jwJTsEIv/RbPCRxXsNXec5ziAS9yucZ+u
xbhss6cQ290Sg3kyg4gyh6GWRsCzcAb7ZJ2d6MdOgA0voNbsugMaHAnA2UFoDUAU
Pi25SGl7mBu49Ueo/KDUWWHshkIIpNTgcIFOuoF2T/BbYtTcX5pCDf2VXQ92Rysr
GImmS5W+iDIPkciT4FDUguzuB/hmypVuHY8ewaNiEUtCMvziILJypvN/51T+y0uW
gU5gMope83vgbLB/h/zOQxuw5lN2mJf02JMboGaoo21fJwex6YwKm4MmLz1Agb2g
LK+my9du29+cV9fBSHD38ECvI5AblcQ+IneJFC7cHv6U5e4I/DWQXUuPp9S78rDF
kWJx7Bn9tyk=
=2uAt
-----END PGP SIGNATURE-----