-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 09 Feb 2021 23:17:14 +0100 Source: xcftools Architecture: source Version: 1.0.7-6+deb10u1 Distribution: buster Urgency: medium Maintainer: Jan Hauke Rahm <jhr@debian.org> Changed-By: Markus Koschany <apo@debian.org> Changes: xcftools (1.0.7-6+deb10u1) buster; urgency=medium . * Non-maintainer upload by the LTS team. * Fix CVE-2019-5086 and CVE-2019-5087: An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file. Checksums-Sha1: 84cf53cfdefc6101f633def46946802e97459cc2 2065 xcftools_1.0.7-6+deb10u1.dsc 162d6fcabf98e3d475a05171ca12adf48c135482 9176 xcftools_1.0.7-6+deb10u1.debian.tar.xz 1555453f82ee48e9778affbc4f323bc99e9e5e9e 6172 xcftools_1.0.7-6+deb10u1_amd64.buildinfo Checksums-Sha256: 42fadb8de214f7783f90eefc61dccd3f04c6d3369abfea888ee1c206939e8518 2065 xcftools_1.0.7-6+deb10u1.dsc f3cf847724982bdbb5c91e3a763b79ea2bd874ccde4235b65be4d9142c159caa 9176 xcftools_1.0.7-6+deb10u1.debian.tar.xz ccd3d71f2f75df31833d565854b6ede9091af01f9efb192d4c175ebd41c29249 6172 xcftools_1.0.7-6+deb10u1_amd64.buildinfo Files: 74186d42b71f50b36095cd22f30f968e 2065 graphics optional xcftools_1.0.7-6+deb10u1.dsc 3e163112005069f321dc3ed9a817b6b6 9176 graphics optional xcftools_1.0.7-6+deb10u1.debian.tar.xz af0cc8f65a3d4abe201188cff99b72f6 6172 graphics optional xcftools_1.0.7-6+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmBHuWJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkbU4QAMIkCZ2DHcQTspgBbBnTf7iyJSAybTNnCUQd 18oh5mAQaoN2v0Z8IRvis2V3qMABt+Q/Y0eXGvpGiP3fqFWsegfefyIGecfHZPdK YkLoWNB1EZ2KjqpMti2HatT1vAplkEtW5sZYOpnENeWCnsa+TW5KqnK2pJZiiU8O SYu8b34QrDyCl+hPX459CFUtWlUztJEIdbQcxpDM+2tQDubqJfAbcXb3zG1Xgx9H z+meTSo4hN9BdN0YFPtuux7RA6usDw4qnk/+Tnxj82roqe4gLMSVzXR3LwurwfdL RV/td2AKq32kDdY2JaXDEs/irZNNnBRU+BOe3k4ONAuNWxdGolbdjoutPAGPmulV fOmgeLFzqS0JN4oqbKbkkwrhAh8PKG3qsdzf8fK3TUu9QqgTEbFLPJCyOmDozBQP sONIm63lV8AU8gluS2kRGNz1K9EG7FrOlrILf2APLG1oY1TMphBu7vprCNMfXBTF pK2JVrWe8PAFehB2OovLEIULEL/PgN4w5GlVUJ9ZwPZsoyk+fT75bRxHDu/QBNyw DWF0iYYJGgsD5Pto6NnEM2JYFtUtWGsjQrSPCka3p5heQ3+lyxUsCvq2dLCm5Kjs mK+sgBzetwr8G4gdT9CFYNCwy36RrQ1d93G3y2GXcSEqTuGWvACMlYnfh3VTHAqq wdmGl4XU =qaoM -----END PGP SIGNATURE-----