Debian Security Advisory
DLA-789-1 icoutils -- LTS security update
- Date Reported:
- 17 Jan 2017
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 850017.
In Mitre's CVE dictionary: CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333.
- More information:
Choongwoo Han reported an exploitable crash in wrestool from icoutils. The command line tools is e.g. used in KDE's metadataparsing.
It turned out that the correction for CVE-2017-5208 was not enough so an additional correction was needed.
But as I see it there are still combinations of the arguments which make the test succeed even though the the memory block identified by offset size is not fully inside memory total_size.
The memory check was not stringent enough on 64 bit systems.
For Debian 7
Wheezy, these problems have been fixed in version 0.29.1-5deb7u1.
We recommend that you upgrade your icoutils packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS