Category Archives: Debian

Debian Security Advisories

DSA-3078 libksba – security update

An integer underflow flaw, leading to a heap-based buffer overflow, was
found in the ksba_oid_to_str() function of libksba, an X.509 and CMS
(PKCS#7) library. By using special crafted S/MIME messages or ECC based
OpenPGP data, it is possible to create a buffer overflow, which could
cause an application using libksba to crash (denial of service), or
potentially, execute arbitrary code.

DSA-3074 php5 – security update

Francisco Alonso of Red Hat Product Security found an issue in the file
utility, whose code is embedded in PHP, a general-purpose scripting
language. When checking ELF files, note headers are incorrectly
checked, thus potentially allowing attackers to cause a denial of
service (out-of-bounds read and application crash) by supplying a
specially crafted ELF file.

DSA-3071 nss – security update

In nss, a set of libraries designed to support cross-platform
development of security-enabled client and server applications, Tyson
Smith and Jesse Schwartzentruber discovered a use-after-free
vulnerability that allows remote attackers to execute arbitrary code by
triggering the improper removal of an NSSCertificate structure from a
trust domain.

[BSA-099] Security update for libreofice

Rene Engelhard uploaded new packages for libreoffice which fixed the
following security problems:

CVE-2014-3693:
   Use-After-Free in socket manager of Impress Remote

   It was discovered that LibreOffice 4.0.0 and later does not manage the port
   1599 for the LibreOffice Impress correctly. An external attackers with
   access to that port could cause the deleted port manager to continue to
   process attacker supplied data.

Note that this update also disables the remote contol per default as it
listens on port 1599 "to the world" per default. If you want/need it you
need to enable it manally:
   1. Open LibreOffice, go to "Tools -> Options..."                             
   2. Select "LibreOffice Impress -> General"                                   
   3. Check "Presentation -> Enable remote control" 

For the wheezy-backports distribution the problems have been fixed in
version 1:4.3.3~rc2-1~bpo70+1.