Headline
Debian Security Advisory 5323-1
Debian Linux Security Advisory 5323-1 - It was discovered that the CompareTool of iText, a Java PDF library which uses the external ghostscript software to compare PDFs at a pixel level, allowed command injection when parsing a specially crafted filename.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5323-1 [email protected]://www.debian.org/security/ Markus KoschanyJanuary 19, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : libitext5-javaCVE ID : CVE-2021-43113Debian Bug : 1014597It was discovered that the CompareTool of iText, a Java PDF library which usesthe external ghostscript software to compare PDFs at a pixel level, allowedcommand injection when parsing a specially crafted filename.For the stable distribution (bullseye), this problem has been fixed inversion 5.5.13.2-1+deb11u1.We recommend that you upgrade your libitext5-java packages.For the detailed security status of libitext5-java please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libitext5-javaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmPJxhlfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSSQw//dNjqrUajjV4/7uztzOajIWwBM7Ra3PNl3Up9jaZJaKdhdBAtDT4qRjK+lVx9CNojQplJQ6k4N3Yzq0Ose3HozR99+bj2J/MC8+skq8LpChDzKCVdVww9To9TXxWaHWHlxSyn9j8nZTvbBAiQcr/KdZFuivFlLtmiLKG0n0S/Czp3YEwYcmv27LbSCehfmOjxpgbLOWGScqQqk9e3aisQ7twMIVU1ED3rKDsjqSHOkxEq9ZZo04TRxGnfokue6KYTizeQq396mzLPd8HlFzTJGDjMqokyrNYBPxFZqPVXm40GSyZiA2OEXcbaTxikx6+XSi/yqngVZxa9gZPL1ATCNaPoJh+n/4eLczHXm90MZ7JWHe8AIGV4mA5iW3olP4blcyRcS10bxwR/qwNikrr0j7PSLv/SP6T/p+ZUzpBXcV9+tPPfzAQ/Wsjd9h/fuPiAdA06OBe0r9hXwO6hX6bxCVVwK6gA8vzCY84kgQp8HUXa6RBSxy/xbfFEGqQW1VToiOOL4IhMY7Pl/4NAaUJUxc4kbpFh2Y8BKytPAivk+DfZGpfsGxP+QXYR5l7nfnIS+j6+F/wL77cxaCGgF7NgH9YuRYQypstHRDrAqGbA97ZE2bAfBX/9TpIGeyqG9sE+rrCbcm/dDr7be31f5TVQ4XmV4gZSE5iw7x5tg+1Wj9c==Z8P9-----END PGP SIGNATURE-----Related news
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
iTextPDF in iText 7 and up to 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.