UbuntuUpdates.org

Package "libflightcrew0v5"

Name: libflightcrew0v5

Description:

C++ library for epub validation

Latest version: 0.7.2+dfsg-6ubuntu0.1
Release: xenial (16.04)
Level: updates
Repository: universe
Head package: flightcrew
Homepage: http://code.google.com/p/flightcrew

Links


Download "libflightcrew0v5"


Other versions of "libflightcrew0v5" in Xenial

Repository Area Version
base universe 0.7.2+dfsg-6
security universe 0.7.2+dfsg-6ubuntu0.1

Changelog

Version: 0.7.2+dfsg-6ubuntu0.1 2019-07-15 14:07:03 UTC

  flightcrew (0.7.2+dfsg-6ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference (DoS) when processing crafted
    EPUB file
    - debian/patches/CVE-2019-13032-1.patch: prevent segfault from malformed
      opf items in GetRelativePathToNcx()
    - debian/patches/CVE-2019-13032-2.patch: prevent segfault from malformed
      opf items in GetRelativePathsToXhtmlDocuments()
    - CVE-2019-13032
  * SECURITY UPDATE: Zip Slip directory traversal when processing a crafted
    EPUB file
    - debian/patches/CVE-2019-13241-1.patch: try to make extracting epbs safer
    - debian/patches/CVE-2019-13241-2.patch: further harden zip extraction to
      always be safe
    - debian/patches/CVE-2019-13241-3.patch: harden further by throwing
      exception
    - CVE-2019-13241
  * SECURITY UPDATE: Infinite loop leading to DoS and resource consumption
    - debian/patches/CVE-2019-13453.patch: Prevent infinite loop in zipios
      library by checking for EOF
    - CVE-2019-13453

 -- Mike Salvatore <email address hidden> Mon, 01 Jul 2019 15:30:43 -0400

CVE-2019-13032 An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL pointer dereference occurs in GetRelativePathToNcx() or GetRelativePathsToXhtmlDocum
CVE-2019-13241 FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP a
CVE-2019-13453 RESERVED



About   -   Send Feedback to @ubuntu_updates