-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0012
                         freeimage security update
                              2 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           freeimage
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 10
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12213 CVE-2019-12211 

Reference:         ESB-2019.4600

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4593

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4593-1                   security@debian.org
https://www.debian.org/security/                            Hugo Lefeuvre
December 27, 2019                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : freeimage
CVE ID         : CVE-2019-12211 CVE-2019-12213
Debian Bug     : 929597

It was found that freeimage, a graphics library, was affected by the
following two security issues:

CVE-2019-12211

    Heap buffer overflow caused by invalid memcpy in PluginTIFF. This
    flaw might be leveraged by remote attackers to trigger denial of
    service or any other unspecified impact via crafted TIFF data.

CVE-2019-12213

    Stack exhaustion caused by unwanted recursion in PluginTIFF. This
    flaw might be leveraged by remote attackers to trigger denial of
    service via crafted TIFF data.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.17.0+ds1-5+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 3.18.0+ds2-1+deb10u1.

We recommend that you upgrade your freeimage packages.

For the detailed security status of freeimage please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freeimage

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgCUACgkQEMKTtsN8
TjYEAhAAlG23fvEZtYYEB7RDesOVnBYEtjAmSCDaomqEOJFcvUtMHkkHZ4x4vcg9
w3X2FyRynTfZ75r0fp0cMs1ocrfa7SVaVmVBVi3fd/4nEzJtrjGcHAYwMrw7F2DH
GZ7+PBQSuNYd4k87RQl2xKvlRNIH4ifbZnIdpVsiuOEPFt8vlLYgh/31lIzrdT/v
YwPV7rdY7/3yNIUV7XOdhGKZ/esipZRPQLes3nduq5A9wo8kGwbQPnVMzLBLAwIH
T1bMStWau0Wbb7sXSr19LbkxBBVyDP9sZ/1rQfNLxHQFtg/zJfj0kfC1N4//1IrC
HVXU4BF0KMiyCi+Zk08c0S1d3Wt+f++wzKegOwgqII5qVurAaBqHcveu2tahVbuo
oQr+ObI3AlREWuhI6WE1u8KwTi5EKvUTkqJtoegX90GAilNMDs34JgjuyC7EB9vn
sows7yzH/UnLti+1TBHaux45cu5UU5p4QKVunvizs2YR34xITWPJ2Zv+b8/LCm3/
ZuXdwdyn2HU/C8wTFnPlk3d9I6nGcPaVmGwH9/zhRU8DV5ERf2Nqqfyk4LPW4hkj
TcegCC/Ti45/yceQ5ELn4Yo9B+clQIQscxrUtA5DaZwSlvXMaVfoDFK6vZnbaDY7
fsRA17VCzc1+L7iHhs0WUks145MW97FsEAU4uCoKdH+jlcBhSoc=
=PzJY
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXg1Dj2aOgq3Tt24GAQg4CRAAw3z7ROyynlBy0jfaeiRx+WJ7ilP6zj76
hEoZ2zlxsDKe0CDURjRXzhpd4gD7LEX/Pa7Kns/9Cgq9MWEm/C2nrRgqWrGSnLns
0nRZU8KdGzVbLoI1GHZSSPzXmfzssgk61u8AG+ZVfL64zpMhARr5h3ipTfKUtLVl
rTwxMTXtP5OLO0XLB5g9kLy7TFduaEruOeclRc+NWcnKnu1aAqu3WB4bwGc6RmrB
Je/XumziidL0/+2vr1V8eEJuEAEhAF+wOKD9Qbk6nSV+5wwQsFwduenCoLlhFVkD
zkIX0lbQ5U3f+9U5VJ7MCk0W20Gu9tlk7ev4bnxKf4MxQrBggAg0bdglQoaKXKPM
wNvbVKqH4n4QFM+os+XJVf/pzddPJfo1QG3sFCKNrFLO6ZR8Patz+LxxYsMorFSL
urnO4Ew7vCmVDBx76VGEV9c0wOeWWRjavTp7sxcoC6S9QbAJZKx09EneCHPUXpPB
tg/naY2z7jwTptdrjDh9Ww3kIjz7y7NXU+cf1vu8EVzpS3pT2EFqbiTMFAbDxwxV
S/xzavmTj0u8zB1+5dnCVyTX7aT+q3ZhkBUzyJ4lHL4a0ZT/szoINq0iaR4lp6HL
O6Q2tyRI6LIe5Yuxtya75P7cXrqyqpkmAtjsRl/fxihjVKeDNeu48j3eRab0KbBl
i2jwdy/uAm4=
=Ukkz
-----END PGP SIGNATURE-----