Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4565 libav security update 6 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libav Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-17542 CVE-2019-14443 CVE-2018-19130 CVE-2018-19128 CVE-2017-18245 CVE-2017-17127 Original Bulletin: https://www.debian.org/lts/security/2019/dla-2021 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libav Version : 6:11.12-1~deb8u9 CVE ID : CVE-2017-17127 CVE-2017-18245 CVE-2018-19128 CVE-2018-19130 CVE-2019-14443 CVE-2019-17542 Several security issues were fixed in libav, a multimedia library for processing audio and video files. CVE-2017-17127 The vc1_decode_frame function in libavcodec/vc1dec.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. CVE-2018-19130 is a duplicate of this vulnerability. CVE-2017-18245 The mpc8_probe function in libavformat/mpc8.c allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted audio file on 32-bit systems. CVE-2018-19128 Heap-based buffer over-read in decode_frame in libavcodec/lcldec.c allows an attacker to cause denial-of-service via a crafted avi file. CVE-2019-14443 Division by zero in range_decode_culshift in libavcodec/apedec.c allows remote attackers to cause a denial of service (application crash), as demonstrated by avconv. CVE-2019-17542 Heap-based buffer overflow in vqa_decode_chunk because of an out-of-array access in vqa_decode_init in libavcodec/vqavideo.c. For Debian 8 "Jessie", these problems have been fixed in version 6:11.12-1~deb8u9. We recommend that you upgrade your libav packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl3pRywACgkQj/HLbo2J BZ96jQf7BPpCLuqJz2eNuTpksi56ZWZa0iS7v1rKOEQWpd5c/+fWWC9r+Fz/sEFc cbx+KL4CUWSMgUcmt6yPeyJIUoKWsDEltvruRVGA96RSS/FfEj6/V/1K8okOhagJ oBoC56h10QvvDmVJlekxSrUG0uozsXa8jzg5TOxk1scw5o8JlAXLr9st2IVYIhB0 VFRk20wPxSK8kZzwswCCr9Sy9yAUDeq8nB3tPc4TRTILEkbwJh35gn0F1zf0ON4/ CKbvfQVNeyihz0kQeRIGsLrawRX7omOkbmi7kpAvXNR9DlJlVITHY6eVKPDDq5M2 GOmV/ctP7SQZtTTm6dMmPvA4lD0r+A== =rbOz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXemex2aOgq3Tt24GAQhCYQ//XsZy2GMJ5EIxNUEtB38JhzpWz11KMY3w nHt0R7FvZ08ht5BfWYDFkzXPXkhXcnYz8Dd2T79478pYxRL7rS7Xf/Rk1VYztn1h wPsqLjvYTjONtyNK0FhbDsP8AIQS0467A8sdb8/EJsjLabnAnVWf43AA38wl0Z0x g3P+biKkAeRpEmHIyjWRNK+238VgdxfHoiUKLe9/vKY3K0rBAuErxR4OSVM/gol9 k2qxI8+xvYpRiBWOQmcGEexaz9yi542onZV2yJbS/4vsnqg9OrSPgL6q4bvSJABO hdJJkAlDnopjX4nSNaqLiJfCVYCrXYNRZWXZ6Y+8fMO9wzEayuzrJuErOXRrja49 +7VJ7fGLTbzE4Br19Ma9gApYVfeeuBu//UCfHSDfSpsc3QeuFH1KllvYVoS+nwHc tWI5EDJJ7jjC2/XDMRFhC92/WsaQH93eJlInazVoLjoOGEOeL/EgebjdALfrcNJg NLr/uNvq+EQPAU0VN4N6YQRSFNktv/6jXTUpuVg1LWPYi7EN2up8Yuwc6gYADZTZ TPSzMTkGlX8NLgSya8wEz3vg8ffeUzjb/FzcLPzJsdg71b25T3WYt/350inI0/Sz fdf5gvOb8/MW7X5wdpH2UvDATDiygWyv1mUsYFuyC5djpkIAEgxYCaXBLwPZ+cHP DGFGuwxnvRo= =9Quk -----END PGP SIGNATURE-----