Malware Devil

Loading...

Friday, April 9, 2021

ESB-2021.1194 – [Win][UNIX/Linux][Debian] lib3mf: Execute arbitrary code/commands – Remote/unauthenticated 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1194
                          lib3mf security update
                               9 April 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           lib3mf
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-21772  

Original Bulletin: 
   https://lists.debian.org/debian-security-announce/2021/msg00068.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running lib3mf check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4887-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 08, 2021                        https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : lib3mf
CVE ID         : CVE-2021-21772
Debian Bug     : 985092

A use-after-free was discovered in Lib3MF, a C++ implementation of the
3D Manufacturing Format, which could result in the execution of
arbitrary code if a malformed file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.8.1+ds-3+deb10u1.

We recommend that you upgrade your lib3mf packages.

For the detailed security status of lib3mf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lib3mf

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmBvSqgACgkQEMKTtsN8
TjZ1wA//YsD3ywg6c7X8IYZNKbU9G3ZkPtk1RdEa/i1JVB5Kr2yOTbK1g9a2Rxor
FfpF0jPGTOkLVAIvkutmsvousI3S8z/KVYlooltJEG4DDeSryccyHKUzhLcVltXd
YQiLnA3/ponzedFqO7xcktsSYHJOOZK6BVvV8hHZTn0VRfBzpNGKKv0xguHHP8hd
eEet1Dp7ZiFAN0SxaSGyQf6dPSwz857ASyrzsqZ3HOoClOUAXg0uCxwpwLo6oE2D
MYy9e8kWHs7ZtKK+sZdzdZQ+DvDKm6vZmhzdAVFnqhcnhMd57DdEi6RknL4uKym7
CgyN4nL+HVoLvIlwIkxefV5GPey3mcEkS2wZaG4vXCyXabKfrpDcOCKNLWcjsUMq
928q/MUJU4uBD/dSrHRnYHpqYaQsVTxgVySboRS4O+bklcbq0fsORZ3DOkkkw872
j2BpiqjBMrBtzhPNVCU6EghTNFHo0JCuuesCYCyorEsdkdLPh3GL3Np2zDnCd6PN
UuOiQr4Jjjfk2HskKZOXxKcbdVQL8ox7S99pOURqx+95KpyUzhakY+jWusmXU8eL
R4zDf7LoZxhh1R+O+Bl64YOLlkegHtxO8q835tseh77G4vfuu3FVKIb/HWJQzM4T
7JzvX4oajHIaYiKJLpXu3eo+HdJdjWfjH5FouV5GtpDJQUaqbpc=
=AmSX
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYG+d5eNLKJtyKPYoAQh/tA//VVmQHJOv4SpwcmLRtXJqTxZ9+GTqwQcn
rqta89Ypt2YM2Qjmhk1p3UrSImIFdk4B5yKKIWJeIEQJkhvwyc5F0QGp/eyD44wk
3nXZo99yjBxG8xOTsB70f9yLf2/b9sqRdYU4EyqJKnE/co0xvIJTLWjtl/b3AtGX
yAa5urSRuTUF6BCBJIdpP+AC6JJzt4pyIYtl56xasTYQwrVJQ4m1W9vsUe7uVzog
+CbPsmNdK6OVQn2qEFbehmEtRlzbH36fcyDRgcabMt7FkjsRSvjjUQjR7SpXmOdv
38glp/3Wsimmb+I6d6b3HnFbIfVgqpDzmgQpwVESGI4S+kqSkVk6F90iXMMk3QWQ
BBpoGZKjvPsQe2A49hf5mM1ZJNb+nMYSkC83HOWrPc6yMVgiY+KY0LCOQHiNXE/4
oNwNvCl5obzMAyW0ZVkZUVA7jL0zHOhytDRM/QUZIoDxfuN/+d0CHKk1RKQxG9Lo
5HgFK05w2wT4mdhrUHAXTGPiRnLlScbOOuNixG25Zl1LYPStFxZWUURgl7Z63OmW
qnovh3Ne3w2QgRrJn4iUbzWEWgr4cnwI+niuTVxEpKIEDjyd5YSgXQEiFmGNRW3j
eqFiekn/VWdZtA11msX0lJwH60umzQqwzOZ6Yf7GY/+ObmMf1Mo2t+27+bWiIMh4
NjQgfSfMczs=
=OUEh
-----END PGP SIGNATURE-----

Read More

The post ESB-2021.1194 – [Win][UNIX/Linux][Debian] lib3mf: Execute arbitrary code/commands – Remote/unauthenticated appeared first on Malware Devil.



https://malwaredevil.com/2021/04/09/esb-2021-1194-winunix-linuxdebian-lib3mf-execute-arbitrary-code-commands-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-1194-winunix-linuxdebian-lib3mf-execute-arbitrary-code-commands-remote-unauthenticated
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...