Debian alert DLA-1042-1 (libquicktime)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1042-1] libquicktime security update | |
| Date: | Fri, 28 Jul 2017 22:14:32 +0200 (CEST) | |
| Message-ID: | <alpine.DEB.2.02.1707282210560.9195@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libquicktime Version : 2:1.2.4-3+deb7u2 CVE ID : CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128 Debian Bug : 864664 CVE-2017-9122 The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted mp4 file. CVE-2017-9123 The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted mp4 file. CVE-2017-9124 The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted mp4 file. CVE-2017-9125 The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted mp4 file. CVE-2017-9126 The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. CVE-2017-9127 The quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted mp4 file. CVE-2017-9128 The quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted mp4 file. For Debian 7 "Wheezy", these problems have been fixed in version 2:1.2.4-3+deb7u2. We recommend that you upgrade your libquicktime packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJZe5soXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH17wQAKy2xPcejz6Hp4d8wBYLtJhB JgSACWn/tzNZdM7Nuv5U75sEgqIoZM1Iv22/VTDZocci3tMM2l9BgQxxQWMg0ab6 s4Bihrt0s/p4NqeiNrHuClqm87LWlJkos1xzI2Lwye5JYhJZtj8EIZTFewl45T4F yG6WLw9bwdUgC9gnPWlbkqDZIOYiSpFuecoW8I6mUQUVOEmI8gADiRRltDC039Mo BBbIo0cmjytqEYPf90gOZ/XJ3SOQnUoTdlHit+Nw6xSCQ/jJnaZ1xxcI5GMwyDa3 tYlC6e9B9p0stB8W+oK+hK8jW8ykPHMLC/8PFpx9drsgZW5HCJZIYvKWTJqbbsAu DSH4ifYQvvUSW1Ve8rrTTpxcSlpzuxAukI6nEx/Av9iIGK870leCHh5IqlI8aj4r xFI9XACanxQYrhJLZGgGihMjBFzTnu1pn5iZFsWM6l2kd/GpI+bGqS8s+pngcqGI QXC2c1Cha0g0oZZxmUmx/kjrAlU8z1BJnDT10L8/Vf9A4Yx/tGuHGi7X8Gx0TQD4 HXawF5RnPY9DiZu9TmXg5fT9SE1OmoZrq6q90lV/5ko6mdGip1zKS1AWCSlpr4// TsdjM4CpVmXaQbPubEJt6HyZFe4dFUT+8b861CtZ8MvZuOYGkiKPYKH6ellCENFD 3JzWNaaKo7AgQ+LTYPao =idxU -----END PGP SIGNATURE-----