Debian DSA-3555-1 : imlib2 - security update

critical Nessus Plugin ID 90687

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in imlib2, an image manipulation library.

- CVE-2011-5326 Kevin Ryde discovered that attempting to draw a 2x1 radi ellipse results in a floating point exception.

- CVE-2014-9771 It was discovered that an integer overflow could lead to invalid memory reads and unreasonably large memory allocations.

- CVE-2016-3993 Yuriy M. Kaminskiy discovered that drawing using coordinates from an untrusted source could lead to an out-of-bound memory read, which in turn could result in an application crash.

- CVE-2016-3994 Jakub Wilk discovered that a malformed image could lead to an out-of-bound read in the GIF loader, which may result in an application crash or information leak.

- CVE-2016-4024 Yuriy M. Kaminskiy discovered an integer overflow that could lead to an insufficient heap allocation and out-of-bound memory write.

Solution

Upgrade the imlib2 packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 1.4.5-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in version 1.4.6-2+deb8u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639414

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785369

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820206

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=821732

https://security-tracker.debian.org/tracker/CVE-2011-5326

https://security-tracker.debian.org/tracker/CVE-2014-9771

https://security-tracker.debian.org/tracker/CVE-2016-3993

https://security-tracker.debian.org/tracker/CVE-2016-3994

https://security-tracker.debian.org/tracker/CVE-2016-4024

https://packages.debian.org/source/wheezy/imlib2

https://packages.debian.org/source/jessie/imlib2

https://www.debian.org/security/2016/dsa-3555

Plugin Details

Severity: Critical

ID: 90687

File Name: debian_DSA-3555.nasl

Version: 2.12

Type: local

Agent: unix

Published: 4/25/2016

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:imlib2, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 4/23/2016

Reference Information

CVE: CVE-2011-5326, CVE-2014-9771, CVE-2016-3993, CVE-2016-3994, CVE-2016-4024

DSA: 3555