Debian Security Advisory

DLA-438-1 libebml -- LTS security update

Date Reported:
28 Feb 2016
Affected Packages:
libebml
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2015-8790, CVE-2015-8791.
More information:

Two security-related issues were fixed in libebml, a library for accessing the EBML format:

  • CVE-2015-8790

    The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, which triggers an invalid memory access.

  • CVE-2015-8791

    The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access.

For Debian 6 squeeze, these issues have been fixed in libebml version 0.7.7-3.1+deb6u1. We recommend you to upgrade your libebml packages.