-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3939
libexif security update
9 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libexif
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0452
Reference: ESB-2020.3934
Original Bulletin:
http://www.debian.org/security/2020/dsa-4786
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4786-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 08, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : libexif
CVE ID : CVE-2020-0452
It was discovered that a boundary check in libexif, a library to parse
EXIF files, could be optimised away by the compiler, resulting in
a potential buffer overflow.
For the stable distribution (buster), this problem has been fixed in
version 0.6.21-5.1+deb10u5.
We recommend that you upgrade your libexif packages.
For the detailed security status of libexif please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libexif
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+oCFAACgkQEMKTtsN8
TjawTBAAvQ/VB+0Nlbd9plOAUFtse3jrtgALiAczERsAntbBUOQweblDS/xK21Ng
qlMaNpPspmMcbsLu+3kwKs8rO2sG5i50DkfyXYwshVENLLgG7jbvJ/LH1XLLKzPe
yazeKybNaH7zqiONr3q+45av8+dPeLjsjJjY9Up8wKM9Fkyh6VZqkgd14ixzTP4A
/qPl9cU1oz+XrAz9kml85Xbq61IiM+7fRJv2yUimYkWxPGHJf2xPp0o55KPPz6x9
Yl4EwAjU7AsAhc+BEKAx8xIFsEYdtq3Ym3EXd5UTQSIi9K2WqM+TbuLKFeWkysdF
YRz2yifQhIg4NRMMMKXP5JV/P6Kma91LvqHbU1ZN70V0Ts9SClZAvQene9npCuFa
fc98/KcilRofhpdKfPFMwf5LaNrytJcC9ue8enM+Xj/iLDM2S6AwNzEZAKv/liYP
hdAVbK9QETcobUe0jrLEubbmUqezMEl1s6GgqljqJOVkz1LHZZK/YvSUnhsXxkqA
MTqKuM7mJVbJsDEvgFa3BdGJuH1E4ya6x+TwJFw4DmJ+acXHZ+0k4/iuZwK/QloN
x26jdr25WjwRqp/vmTcxTYp5Sxl2zv3BRLh+EJasBbB58pIxYPAQzLnEIA8KmiGJ
SyNR3qoSPcN5kchT+IkS673zPFRGosyOYaDxKn2Z4a2bGnoMuVo=
=Yb9P
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX6jJYuNLKJtyKPYoAQigQw/+PwG4oEAlH9ux+uF3umO30E6qNf4T4/qy
eiEP5786mXhRAnTKrhob6wwehd+fyBaJKq841JZtMl/nQA7+prT4dWXOuIVHwwLs
YA80BuXpJx95wodOyiERiP1H3nEimFFaLSqPiU/ZfZzg3hYUY8OXvdV+JHzt+EtA
YInM9ky6PMUxbaPl/EVPRx8klf58pM4vh5y5ewSzJOPqXTRRW8ndbnoPLiMST9rY
G5WBiEl2fxdTg8Q0xPtXZZNgh19exRT2Om4ntmuKH1ig5SCfb5mRpREpEfKt/OLp
wqAEiDsMTiDigdL6ROe9V3pMzEkFDc7JJF3QD4L4bhj25MBEQUDKe3djZMz8TbFP
6Ar5ZLE5NTglbKL5Kl0/shmlyh5A4J/40zJ6rdKiwQkN0zQJTFrs73JNUyAZMbt2
wjf7Oe47lrKCmJlNe3Ko9yI8xZ30amJE/3krT7tgZPr4ztxL2XHWZjrVmu1gXLUm
5hnc8L58LhKdwdvP3HnmcXqH+LDljqdi16zYTIbD7BR0WIXB0FvbJZ/ukS0tUF4n
PDW80FEUOLhB9vBr3KvDvW6C035wA+zxbMjJc4zsStr4t648efFCZ6XoQ/iMbIoA
O47OG4MSKxhKdIUD3CXxSmjHLYMjSvgLsXQvEhxuM/pN7Ip/lOtgvjeKFDIUBEHD
nUOeUkapC7I=
=ICdB
-----END PGP SIGNATURE-----
The post ESB-2020.3939 – [Debian] libexif: Execute arbitrary code/commands – Remote with user interaction appeared first on Malware Devil.
https://malwaredevil.com/2020/11/09/esb-2020-3939-debian-libexif-execute-arbitrary-code-commands-remote-with-user-interaction/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-3939-debian-libexif-execute-arbitrary-code-commands-remote-with-user-interaction
No comments:
Post a Comment