Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
modprobe with elevated privileges. A local user can take advantage of
this flaw for local root privilege escalation.
Category Archives: Debian
Debian Security Advisories
DSA-3777 libgd2 – security update
Multiple vulnerabilities have been discovered in libgd2, a library for
programmatic graphics creation and manipulation, which may result in
denial of service or potentially the execution of arbitrary code if a
malformed file is processed.
DSA-3776 chromium-browser – security update
Several vulnerabilities have been discovered in the chromium web browser.
DSA-3778 ruby-archive-tar-minitar – security update
Michal Marek discovered that ruby-archive-tar-minitar, a Ruby library
that provides the ability to deal with POSIX tar archive files, is prone
to a directory traversal vulnerability. An attacker can take advantage
of this flaw to overwrite arbitrary files during archive extraction via
a .. (dot dot) in an extracted filename.
DSA-3775 tcpdump – security update
Multiple vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial
of service or the execution of arbitrary code.
DSA-3774 lcms2 – security update
Ibrahim M. El-Sayed discovered an out-of-bounds heap read vulnerability
in the function Type_MLU_Read in lcms2, the Little CMS 2 color
management library, which can be triggered by an image with a specially
crafted ICC profile and leading to a heap memory leak or
denial-of-service for applications using the lcms2 library.
DSA-3773 openssl – security update
Several vulnerabilities were discovered in OpenSSL:
DSA-3772 libxpm – security update
Tobias Stoeckmann discovered that the libXpm library contained two
integer overflow flaws, leading to a heap out-of-bounds write, while
parsing XPM extensions in a file. An attacker can provide a specially
crafted XPM file that, when processed by an application using the libXpm
library, would cause a denial-of-service against the application, or
potentially, the execution of arbitrary code with the privileges of the
user running the application.
DSA-3771 firefox-esr – security update
Multiple security issues have been found in the Mozilla Firefox web
browser: Memory safety errors, use-after-frees and other implementation
errors may lead to the execution of arbitrary code, information
disclosure or privilege escalation.
DSA-3770 mariadb-10.0 – security update
Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.29. Please see the MariaDB 10.0 Release Notes for further
details: