Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0221
transfig security update
22 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: transfig
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-19555 CVE-2019-14275 CVE-2018-16140
Reference: ESB-2019.1810
ESB-2018.2658
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/01/msg00018.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : transfig
Version : 1:3.2.5.e-4+deb8u2
CVE ID : CVE-2018-16140 CVE-2019-14275 CVE-2019-19555
Several issues have been found in transfig, a XFig figure files converter.
CVE-2018-16140
Buffer underwrite vulnerability in get_line()
allows an attacker to write prior to the beginning of the
buffer via a crafted .fig file.
CVE-2019-14275
Stack-based buffer overflow in the calc_arrow
function in bound.c.
CVE-2019-19555
Stack-based buffer overflow because of an
incorrect sscanf.
For Debian 8 "Jessie", these problems have been fixed in version
1:3.2.5.e-4+deb8u2.
We recommend that you upgrade your transfig packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl4ncAwACgkQYS7xYT4F
D1T1XxAAlzbHFbpMyaQHlv5dBT2XXYTsAril9dX9X7GZJZc3bOLEq6ivZ1bGISTV
Pvzq/zqeB87OE6QSx567vGsUQ+wGeRKXgTWQBifbkByiVkZkewjOFrGFkfnrJJxQ
FQ1suLilZmRLJKc7V+3lisGKK8LIErppJMA3pSc2wovLfu3ZK84TbF29PBOoyGXF
L1Q6raE2SXJmmOaRAYJEaH0wDBHKD3NKtikxEQA9atyQgkn7lmXO75YAh0xPPbcI
EBQ7dufVRdTzS8PP7bYrdHrZdJ7QUAdgnW14+Z0fgT1XiAfPcN4vj5/AQ2ciDVrh
3wHfJY8kPLStX4OQEkOC0P9ydqJYj6cUhgX6jcewL/Ak7XMGzKxeaHYwWjpROJdY
bT5OkpO7dkMaYUBpk5//eqWQjNr674ydnvpBSKNJvw2qSbn03Hcsf4yKtf2uGYwl
0rGtJUDAYZDbYy3t8PwzzZ62xsjhrg4/xsybPJe411mXIqj300TlWxUnjCQlK6be
1aIYf59b3gMvOpib++0Q5973/Rrcpf7D4xYJV5kxC7ejOzTXCYBS4XFigUS4dNhT
nnZxwYS9HZ5drh+La3FBT5LKOPr0/9Y4f9H3+8Ru4Ug1PUr6MWpiWj9SyqVYSjrR
EJ0PKyYfo5J7xsIEggWFp50Q+H/KYzx8IggxLQbiphLZlnI+jW8=
=6f9i
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXie0imaOgq3Tt24GAQhhXQ//cCx44QGPXdFJXJjLxUC9eWMAJ2CwXqxF
Ys3e21LwscDUMkqSj1QzQQY3lJ1vBD/7mB/WQK6cvyan1LKABk+tQtlLdMq7DmCs
o8ByamHTXw3WlXhHuL2GtBQuRFK9tTni2h1GyTC2ZTLgjimtAU/mOGh/ZQ3cxoHo
tOQFifw2d+xAJzDAieh18k4+8RrvLTp/mSnNA2VHW5hPez7Ih4rSMjoxPIbcaMwz
3xMRfTzST5Yy05pww/nOSbZ5obYbj8Zb4VIpOEJe7Yo2mAt4jEFOwMo5qz7Qf7TD
NNVxZkXrENBQEPnOrGbI8ScYUNo4TjvypzZikMbADE5W8TXq6AG5vu+yo4iwBtU3
KhwHnJaXSsRanacgDPnXmdTk9Pn171urfogwSzrFEMDArKxdGWJhhIq/s4ZOk7yQ
cGRHpH0m5EhvzeMSplmveWGkbpWheq+e9TEmp+weWB5Sgde9HnIZSWTAtQNPuZF6
96UPz2j1zb08NVsjaRkpDmvwg63PjAeUTq89kskvmMzzihss52fiPb2YuxdhYbEA
BIv8OOKFnH7zjxclFQnt5zi79nArqmdEgpIGHlsWmZWKrsjAF5GAnBZ26qbK4pew
caTOHAsz3K27lKmkJhpQtn1o5HYkH5CUFGMFN17K8sMALgOQZGzOmbKiDLQ7VZNX
CKTS6k6K4co=
=dli8
-----END PGP SIGNATURE-----