Security update for netpbm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:14101-1 Final 1 1 2019-06-21T11:55:01Z current 2019-06-21T11:55:01Z 2019-06-21T11:55:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for netpbm This update for netpbm fixes the following issues: Security issues fixed: - CVE-2017-2579: Fixed out-of-bounds read in expandCodeOntoStack() (bsc#1024288). - CVE-2017-2580: Fixed out-of-bounds write of heap data in addPixelToRaster() function (bsc#1024291). - created a netpbm-vulnerable subpackage and move pstopnm there, as it uses ghostscript for conversion (bsc#1136936) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-netpbm-14101,slessp4-netpbm-14101 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-201914101-1/ Link for SUSE-SU-2019:14101-1 https://lists.suse.com/pipermail/sle-security-updates/2019-June/005614.html E-Mail link for SUSE-SU-2019:14101-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1024288 SUSE Bug 1024288 https://bugzilla.suse.com/1024291 SUSE Bug 1024291 https://bugzilla.suse.com/1136936 SUSE Bug 1136936 https://www.suse.com/security/cve/CVE-2017-2579/ SUSE CVE CVE-2017-2579 page https://www.suse.com/security/cve/CVE-2017-2580/ SUSE CVE CVE-2017-2580 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS libnetpbm10-10.26.44-101.15.5.2 netpbm-10.26.44-101.15.5.2 libnetpbm10-32bit-10.26.44-101.15.5.2 libnetpbm10-10.26.44-101.15.5.2 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 netpbm-10.26.44-101.15.5.2 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 libnetpbm10-10.26.44-101.15.5.2 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libnetpbm10-32bit-10.26.44-101.15.5.2 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS netpbm-10.26.44-101.15.5.2 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS An out-of-bounds read vulnerability was found in netpbm before 10.61. The expandCodeOntoStack() function has an insufficient code value check, so that a maliciously crafted file could cause the application to crash or possibly allows code execution. CVE-2017-2579 SUSE Linux Enterprise Point of Sale 11 SP3:libnetpbm10-10.26.44-101.15.5.2 SUSE Linux Enterprise Point of Sale 11 SP3:netpbm-10.26.44-101.15.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libnetpbm10-10.26.44-101.15.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libnetpbm10-32bit-10.26.44-101.15.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:netpbm-10.26.44-101.15.5.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201914101-1/ https://www.suse.com/security/cve/CVE-2017-2579.html CVE-2017-2579 https://bugzilla.suse.com/1024287 SUSE Bug 1024287 https://bugzilla.suse.com/1024288 SUSE Bug 1024288 An out-of-bounds write vulnerability was found in netpbm before 10.61. A maliciously crafted file could cause the application to crash or possibly allow code execution. CVE-2017-2580 SUSE Linux Enterprise Point of Sale 11 SP3:libnetpbm10-10.26.44-101.15.5.2 SUSE Linux Enterprise Point of Sale 11 SP3:netpbm-10.26.44-101.15.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libnetpbm10-10.26.44-101.15.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:libnetpbm10-32bit-10.26.44-101.15.5.2 SUSE Linux Enterprise Server 11 SP4-LTSS:netpbm-10.26.44-101.15.5.2 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-201914101-1/ https://www.suse.com/security/cve/CVE-2017-2580.html CVE-2017-2580 https://bugzilla.suse.com/1024287 SUSE Bug 1024287 https://bugzilla.suse.com/1024291 SUSE Bug 1024291