-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 25 Feb 2021 08:32:07 +0100 Source: xcftools Architecture: source Version: 1.0.7-6.1 Distribution: unstable Urgency: high Maintainer: Jan Hauke Rahm <jhr@debian.org> Changed-By: Markus Koschany <apo@debian.org> Closes: 945317 Changes: xcftools (1.0.7-6.1) unstable; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-5086 and CVE-2019-5087: An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file. (Closes: #945317) Checksums-Sha1: 5d4b7d90db048632eb1d1a735121a72f305ee667 2041 xcftools_1.0.7-6.1.dsc 8b8ded7dbb51abcae3465b8fd38f5df17fd21646 9168 xcftools_1.0.7-6.1.debian.tar.xz 08e4c6dddf7764407ecca2aec4f5b547bf422b6d 6282 xcftools_1.0.7-6.1_amd64.buildinfo Checksums-Sha256: ab92aafb0af366d70dfc141f76189df53cad24936500f6150cc1c07cd5ecffff 2041 xcftools_1.0.7-6.1.dsc ec3c285c1900da6e464532c6345ad5a3d917b9e2aa1390a87d51a285ccc93637 9168 xcftools_1.0.7-6.1.debian.tar.xz b4f22e7debf6d0851c72e4f48fbd490dc02359c0a17491577bb3823eb5910999 6282 xcftools_1.0.7-6.1_amd64.buildinfo Files: 768bc90e3b3430f01908b2243d23b2b5 2041 graphics optional xcftools_1.0.7-6.1.dsc 4bb163b21077dac8c0941c9edf0b1421 9168 graphics optional xcftools_1.0.7-6.1.debian.tar.xz 6df217c0a1d45961fa623aef5ac43f0e 6282 graphics optional xcftools_1.0.7-6.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmA3VgBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkAjgP/3XLjbg7iynpDWEnww/SvK3VQysaWASOzGe5 3JFh7GKyORCEV9vOSBB54dDdCq49nbjzd+Wi/U61ErCz/s0fzdu+f9ifd57xVzAw PLQlLS5psSYc7jQ+lwwDPhHzdFmmj8fUGj5Ub2nLhw3TS9LW1FIBuZwiIudXDT6U t13wL502/PkXRRyc0iFlWLnqFxE/W7Ip9FHbkBUJvLjZnMh9RPOTndjjlSVRku5u 3m5YofUWxuWXjVv21h/ZUd+VQ7O6SGhVIRzASVjZkhUocj/dPNe6eCn2f/WjFuy+ SZgZ64KxATYy5IyGxIz8P/l1g2T8ufjAVl27OhF97aWlaSOXwd0dB37IILXlv4Qs 6FVlb1rdIdQMKKJeATaaCAtzgHd37WwpB+k0qYBFADRVbaoq3ssoD4Md3FJb0Vv9 zRGLEBjJ8LWA4urckJsKpvgDZI0p4h3tJ5JF36/gLu10JwVvY6d9o8h2pjt1BM2/ fHFVB6eJWNCp+/4ryJ19eGEZtiOiKVJ3JZixsbckwEJUlypkxDTH1eGbldYZbmAb 6q08aDSDd9IWYZlV3T7aFhuLKPXqw/VrAeRbyym99MWv4F6QHXA0pBHeX1jtbddx u+gTlmDjdEMTC48fE+4pXR86XNNY+p+n1Ls2xNdmOZXLheYno+OAaqTVZ0/UQyKw NfRESP5P =PdhS -----END PGP SIGNATURE-----