Hello, All three CVE were fixed by the upstream version liblnk-20180626 and packaged by Debian as liblnk_20180626-1. All subsequent liblnk packages contain the fixes.
=== More details. As pointed by [1] CVE-2018-12096 is actually bug in the upstream project libuna. Upstream and Debian distribute libuna as part of the liblnk package. CVE-2018-12096 is fixed by commits [2] and [3] (adding check into libuna/libuna_utf8_string.c). The fix was included into upstream liblnk version 20180626 and into the Debian package liblnk_20180626-1. === As pointed by [1] CVE-2018-12097 and CVE-2018-12098 are actually fixed in the upstream issue 32 [4] by commit [5]: * Corrected unicode_value_size calculation in liblnk/liblnk_location_information.c for CVE-2018-12097 * Added data_size check into liblnk/liblnk_data_block.c for CVE-2018-12098 The fix was included into upstream liblnk version 20180626 and into the Debian package liblnk_20180626-1. [1] https://github.com/libyal/liblnk/issues/33 [2] https://github.com/libyal/libuna/commit/aca678aa7e49ca628f1b27a53fdea883fa8764bb [3] https://github.com/libyal/libuna/commit/f22aca8b649afe5cef529d9268186bfe591b7f89 [4] https://github.com/libyal/liblnk/issues/32 [5] https://github.com/libyal/liblnk/commit/cb7fe0c66a5a01c19f1953fc7814c4fedfdc5785
OpenPGP_signature
Description: OpenPGP digital signature