openSUSE Security Update: Security update for libquicktime ______________________________________________________________________________ Announcement ID: openSUSE-SU-2017:1806-1 Rating: moderate References: #1044000 #1044002 #1044006 #1044008 #1044009 #1044077 #1044122 Cross-References: CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128 Affected Products: openSUSE Leap 42.2 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for libquicktime fixes the following issues: * CVE-2017-9122: A DoS in quicktime_read_moov function in moov.c via acrafted mp4 file was fixed. (boo#1044077) * CVE-2017-9123: An invalid memory read in lqt_frame_duration via a crafted mp4 file was fixed. (boo#1044009) * CVE-2017-9124: A NULL pointer dereference in quicktime_match_32 via a crafted mp4 file was fixed. (boo#1044008) * CVE-2017-9125: A DoS in lqt_frame_duration function in lqt_quicktime.c via crafted mp4 file was fixed. (boo#1044122) * CVE-2017-9126: A heap-based buffer overflow in quicktime_read_dref_table via a crafted mp4 file was fixed. (boo#1044006) * CVE-2017-9127: A heap-based buffer overflow in quicktime_user_atoms_read_atom via a crafted mp4 file was fixed. (boo#1044002) * CVE-2017-9128: A heap-based buffer over-read in quicktime_video_width via a crafted mp4 file was fixed. (boo#1044000) Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2017-785=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (i586 x86_64): libquicktime-debugsource-1.2.4cvs20150223-8.3.1 libquicktime-devel-1.2.4cvs20150223-8.3.1 libquicktime-tools-1.2.4cvs20150223-8.3.1 libquicktime-tools-debuginfo-1.2.4cvs20150223-8.3.1 libquicktime0-1.2.4cvs20150223-8.3.1 libquicktime0-debuginfo-1.2.4cvs20150223-8.3.1 - openSUSE Leap 42.2 (x86_64): libquicktime0-32bit-1.2.4cvs20150223-8.3.1 libquicktime0-debuginfo-32bit-1.2.4cvs20150223-8.3.1 References: https://www.suse.com/security/cve/CVE-2017-9122.html https://www.suse.com/security/cve/CVE-2017-9123.html https://www.suse.com/security/cve/CVE-2017-9124.html https://www.suse.com/security/cve/CVE-2017-9125.html https://www.suse.com/security/cve/CVE-2017-9126.html https://www.suse.com/security/cve/CVE-2017-9127.html https://www.suse.com/security/cve/CVE-2017-9128.html https://bugzilla.suse.com/1044000 https://bugzilla.suse.com/1044002 https://bugzilla.suse.com/1044006 https://bugzilla.suse.com/1044008 https://bugzilla.suse.com/1044009 https://bugzilla.suse.com/1044077 https://bugzilla.suse.com/1044122