-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4593-1                   security@debian.org
https://www.debian.org/security/                            Hugo Lefeuvre
December 27, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : freeimage
CVE ID         : CVE-2019-12211 CVE-2019-12213
Debian Bug     : 929597

It was found that freeimage, a graphics library, was affected by the
following two security issues:

CVE-2019-12211

    Heap buffer overflow caused by invalid memcpy in PluginTIFF. This
    flaw might be leveraged by remote attackers to trigger denial of
    service or any other unspecified impact via crafted TIFF data.

CVE-2019-12213

    Stack exhaustion caused by unwanted recursion in PluginTIFF. This
    flaw might be leveraged by remote attackers to trigger denial of
    service via crafted TIFF data.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.17.0+ds1-5+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 3.18.0+ds2-1+deb10u1.

We recommend that you upgrade your freeimage packages.

For the detailed security status of freeimage please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freeimage

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgCUACgkQEMKTtsN8
TjYEAhAAlG23fvEZtYYEB7RDesOVnBYEtjAmSCDaomqEOJFcvUtMHkkHZ4x4vcg9
w3X2FyRynTfZ75r0fp0cMs1ocrfa7SVaVmVBVi3fd/4nEzJtrjGcHAYwMrw7F2DH
GZ7+PBQSuNYd4k87RQl2xKvlRNIH4ifbZnIdpVsiuOEPFt8vlLYgh/31lIzrdT/v
YwPV7rdY7/3yNIUV7XOdhGKZ/esipZRPQLes3nduq5A9wo8kGwbQPnVMzLBLAwIH
T1bMStWau0Wbb7sXSr19LbkxBBVyDP9sZ/1rQfNLxHQFtg/zJfj0kfC1N4//1IrC
HVXU4BF0KMiyCi+Zk08c0S1d3Wt+f++wzKegOwgqII5qVurAaBqHcveu2tahVbuo
oQr+ObI3AlREWuhI6WE1u8KwTi5EKvUTkqJtoegX90GAilNMDs34JgjuyC7EB9vn
sows7yzH/UnLti+1TBHaux45cu5UU5p4QKVunvizs2YR34xITWPJ2Zv+b8/LCm3/
ZuXdwdyn2HU/C8wTFnPlk3d9I6nGcPaVmGwH9/zhRU8DV5ERf2Nqqfyk4LPW4hkj
TcegCC/Ti45/yceQ5ELn4Yo9B+clQIQscxrUtA5DaZwSlvXMaVfoDFK6vZnbaDY7
fsRA17VCzc1+L7iHhs0WUks145MW97FsEAU4uCoKdH+jlcBhSoc=
=PzJY
-----END PGP SIGNATURE-----