Debian Security Advisory

DLA-789-1 icoutils -- LTS security update

Date Reported:
17 Jan 2017
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 850017.
In Mitre's CVE dictionary: CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333.
More information:

Brief introduction

  • CVE-2017-5208

    Choongwoo Han reported[0] an exploitable crash in wrestool from icoutils. The command line tools is e.g. used in KDE's metadataparsing.

  • CVE-2017-5331

    It turned out that the correction for CVE-2017-5208 was not enough so an additional correction was needed.

  • CVE-2017-5332

    But as I see it there are still combinations of the arguments which make the test succeed even though the the memory block identified by offset size is not fully inside memory total_size.

  • CVE-2017-5333

    The memory check was not stringent enough on 64 bit systems.

For Debian 7 Wheezy, these problems have been fixed in version 0.29.1-5deb7u1.

We recommend that you upgrade your icoutils packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: