Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-789-1 icoutils

Debian Security Advisory

DLA-789-1 icoutils -- LTS security update

Date Reported:

17 Jan 2017

Affected Packages:

icoutils

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 850017.
In Mitre's CVE dictionary: CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333.

More information:

Brief introduction

• CVE-2017-5208

  Choongwoo Han reported[0] an exploitable crash in wrestool from icoutils. The command line tools is e.g. used in KDE's metadataparsing.

• CVE-2017-5331

  It turned out that the correction for CVE-2017-5208 was not enough so an additional correction was needed.

• CVE-2017-5332

  But as I see it there are still combinations of the arguments which make the test succeed even though the the memory block identified by offset size is not fully inside memory total_size.

• CVE-2017-5333

  The memory check was not stringent enough on 64 bit systems.

For Debian 7 Wheezy, these problems have been fixed in version 0.29.1-5deb7u1.

We recommend that you upgrade your icoutils packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS