Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0479 leptonlib security update 16 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: leptonlib Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Apple iOS Android Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-3836 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/02/msg00019.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running leptonlib check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : leptonlib Version : 1.69-3.1+deb7u1 CVE ID : CVE-2018-3836 Debian Bug : 889759 Talosintelligence discovered a command injection vulnerability in the gplotMakeOutput function of leptonlib. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability. For Debian 7 "Wheezy", these problems have been fixed in version 1.69-3.1+deb7u1. We recommend that you upgrade your leptonlib packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlqFVRYACgkQhj1N8u2c KO+JrQ//WQAuSSEkIOetjtAR8k1Lar9sj6Qc3rQL0LF2jXFr4CvkMJdrOYLm/2UA 9yNXJ5lc2JbAvECfnWWVlQHiULEwgEmrxG5KhzlWP6UP+wkC2ua6ialtgLZswloT NOTCosFucwGwulh8WhVy0AJvvqlD9ksB604QG6HxtaMgZoFx97GLvCmsPCRAbs4v KXp5BmJMSaoVBj9XyfNKNTsBF5cMwHLR8pnQdGFrx3X+dfYZvi31JWuliLYILjJu ZfpLyd1iBEKzwXsLxsEcpK1hdDp146MNJvI5JTON+cQ9tty0FeUnGCUj0/LE/LtO +k3o74hUtRbw/Jga7VmJtyp97bXRgTggMZ18mwjRciVBDuwCF1sUNAeCHt8dBQI5 ZFHF7vL5YGqf1kqXtRytdYNrhQQVCZK8Mh/zsE0J5njyt55ilxwecPjqFXhASdW9 p+5w8/IkCNnVHc5n2ASt5aiWBJwJUeRTe3IrnzkAHy5RiYK8GaxlTbumP1XKhJzp V7RYhr/vpWBc+pkfxYIpnbY0f4YcJB9CfI++HEsTsQOF1v5ElWmeUGp2v9nvopR6 YKlvED2V2sfOvZwdDr7CeYzaSkhFM9BXCgVQ/qOsIGhxlnf+7hlIeL8x4BtYLq2w hsv4WzGFCTxW6zjGl2DckfRvvBZnsQuRBRivc78HIacALa0bERE= =PSHC - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWoZRgox+lLeg9Ub1AQjWjA/+PWVZQgLXVqc+9YJMphDbVCEcakd3FCvc IBzqucwbpWKaVpIG79lsBGQMp44T5tIpb44sa2ZHreOWGhBFM3WDDto+d5eBq36u FLhrpRP5/Q1AhqpfZ8S7afWbhDNn9uXu2/0yuA32aRBJBv+YRVEao1htnMHp9j0x SncWANURl4vIRCfEvQIZN4xKiMi5EUt8puNr84GBzF6mBaESw2R0QBYfrFfBSj5a NbCa4rB2SIHokdDymVcNvI/Ds7oTznXZU7xGzz6kIgza05YfoooDhhZI0pFxZVSn Q00tI9JB4mG+D5d9UeMgcK0/Ecv22C02xFyXcbkCJ+/7crlYZU/VVnaW00wa/FMC G2+cn8bxn2WnLKKdOfnbmSw74KGIICVSWeFSbBF1clXSGTOr+g96QbcjdeAKnQHE VQEl1DHkweubH9nZTVzSznBds1638sWc4ZWJoaJ0bT3IkcyzSRE3OXYPXt/BAxcI 1NmSb3Toe3a1jd63LTDPqzU4k9aMqNW/Ds7oKlaG88UAle2eDguI5nQIcoaqcPPh cVZpodIYqovDzq8y9YCprwP/7xY2SNblL+vjimICSNnEtDXIi9kP8vSIGC/aKowV OFtJ+smzDi7tJXKmIFMuAKrFrbapzI9Dmw/Ds4wxJH/bewBU8IAKSfdH8pX0BYCk dKdpQn1OmsM= =iZ5a -----END PGP SIGNATURE-----