Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-438-1 libebml

Debian Security Advisory

DLA-438-1 libebml -- LTS security update

Date Reported:

28 Feb 2016

Affected Packages:

libebml

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-8790, CVE-2015-8791.

More information:

Two security-related issues were fixed in libebml, a library for accessing the EBML format:

• CVE-2015-8790

  The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, which triggers an invalid memory access.

• CVE-2015-8791

  The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access.

For Debian 6 squeeze, these issues have been fixed in libebml version 0.7.7-3.1+deb6u1. We recommend you to upgrade your libebml packages.