|
|
Log in / Subscribe / Register

Debian alert DLA-4449-1 (zvbi)



From:
              Thorsten Alteholz <debian@alteholz.de>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4449-1] zvbi security update


Date:
              Sat, 24 Jan 2026 18:37:27 +0000


Message-ID:
              <539aee50-dbc4-454-e6ce-cf9561fce810@alteholz.de>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4449-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
January 24, 2026                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : zvbi
Version        : 0.2.35-18+deb11u1
CVE ID         : CVE-2025-2173 CVE-2025-2174 CVE-2025-2175 CVE-2025-2176
                  CVE-2025-2177


Several issues have been found in zvbi, a Vertical Blanking Interval 
decoder.
CVE-2025-2173 is related to an uninitialized pointer in src/conv.c:: 
vbi_strndup_iconv_ucs2()
The other issues are related to integer overflows in several functions 
distributed all over the code.


For Debian 11 bullseye, these problems have been fixed in version
0.2.35-18+deb11u1.

We recommend that you upgrade your zvbi packages.

For the detailed security status of zvbi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zvbi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAml1EWdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEc1OQ//emjCVLwWmE0F61p0orDNob9kRNyPxQ9btz8lBGLLF6XbWaC8GJm7RzOH
hU2Uc38PWjd6SqtK3Wx6eIb3UdG9RchWyUbglhA8OXj+JrpmAqLLNMFy9BHxS76M
IBipWzGiWiEMD0R7fHPsUtVkwyDAmSB2HKFWsUmPLFpifr4rY5i/xWNLE+GasJIu
GNX+REEAXJNNUNUD/sEuVbNfdbBTBIITeTOl/HGpQIs5vYmprHb0XZWJ+1VxQiK8
22q0gBXzw1ciK8/Lahn8YneVH/y2T1pQUYe7A6yx+V7vU+dam+L1ZpNhqP9HBEAg
T2Kkt1Z68YFISEGy+yVjFlwlueDPhFg6kZC9MmRJ/onBjnevig3yd7IQ8h97Fjdr
NKoYbeT6tWfRDpN75au1N0MPWzTmTAiBjTLPXxbRFohcvvGjVwx4zS8jxGXLbGIp
ydo9rAJ8HRIjwraZteOPg+uoolvIBrboAVxGnwNI57c6L03CpH3sVyGXiPHX+bLe
fVaz/6iFFrr4+2OSSoFRquP9gjZu5twjM17o+wiyANbEu6Hl3/9HH0X9Rdd9xQqJ
FtGv0u2RIoedMYeMlbsh54oyBOrBkYPEmY+j2TKo1SjvH1v7Qxy5WvZeIGS5A3+R
pI+GgJf1o4FBNwQkIIZYhPxI8bC+FzoSTDpPmyJs+YbimV+ei0E=
=/quF
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds