| Summary: | lcms2 new security issue CVE-2013-4160 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, fundawang, mageia, oe, sysadmin-bugs, tmb, wilcal.int |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/561443/ | ||
| Whiteboard: | MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | lcms2-2.4-3.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-07-22 19:01:27 CEST
In the discussion in the Novell bug, they decided to update OpenSuSE and SLES to lcms2 2.5: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 Does anyone have a strong feeling one way or another about going with the patch Oden has already added to SVN vs. updating to 2.5 for Mageia 2 and Mageia 3? CC:
(none) =>
fundawang, mageia, oe Any thoughts anyone??? Ubuntu has issued an advisory for this on July 29: http://www.ubuntu.com/usn/usn-1911-1/ URL:
(none) =>
http://lwn.net/Vulnerabilities/561443/ I bumped it to 2.5 for mga2 and mga3 update_testing. Seems safe enough to me but will require more testing. Ubuntu issued an update for ghostscript for this: http://www.ubuntu.com/usn/usn-1911-2/ Is my understanding correct that we have ghostscript built against a system lcms2 and our ghostscript packages aren't bundling this code? Assigning to QA so that testing may begin. Advisory: ======================== Updated lcms2 packages fix security vulnerability: It was discovered that Little CMS did not properly verify certain memory allocations. If a user or automated system using Little CMS were tricked into opening a specially crafted file, an attacker could cause Little CMS to crash (CVE-2013-4160). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4160 http://www.ubuntu.com/usn/usn-1911-1/ ======================== Updated packages in core/updates_testing: ======================== lcms2-2.5-1.mga2 liblcms2_2-2.5-1.mga2 liblcms2-devel-2.5-1.mga2 lcms2-2.5-1.mga3 liblcms2_2-2.5-1.mga3 liblcms2-devel-2.5-1.mga3 from SRPMS: lcms2-2.5-1.mga2.src.rpm lcms2-2.5-1.mga3.src.rpm Assignee:
bugsquad =>
qa-bugs (In reply to David Walser from comment #4) > Ubuntu issued an update for ghostscript for this: > http://www.ubuntu.com/usn/usn-1911-2/ > > Is my understanding correct that we have ghostscript built against a system > lcms2 and our ghostscript packages aren't bundling this code? Yes, I broke that out years ago. Would these two sites be a good way to test this bug: BBC Test Card http://www.youtube.com/watch?v=KSFgolB7HHE The Lagom LCD monitor test pages http://www.lagom.nl/lcd-test/all_tests.php I've used them for years. CC:
(none) =>
wilcal.int Good question, I'm not really sure what this library does, but you can see things that use it with urpmq --whatrequires liblcms2_2 Advisory 10816.adv uploaded to svn. CC:
(none) =>
davidwhodgins MGA3-32 ok for me in VirtualBox default install lcms-1.19-7.mga3.i586 from core release [root@localhost wilcal]# urpmi lcms Package lcms-1.19-7.mga3.i586 is already installed Testing my Samsung 26in LCD Monitor using: http://www.youtube.com/watch?v=KSFgolB7HHE http://www.lagom.nl/lcd-test/all_tests.php Color calibration pass Tested using: http://www.webkit.org/perf/sunspider/sunspider.html For JavaScript, test ok. Test ok with Acid 2 & Acid 3 Browser tests http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Tested with Chromium Browser too Remove lcms-1.19-7.mga3.i586 install lcms2-2.5-1.mga3.i586 from core updates_testing [root@localhost wilcal]# urpmi lcms2 Package lcms2-2.5-1.mga3.i586 is already installed Reboot system Repeat tests above all good. lcms installs as lcms2. Is this a problem? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm MGA3-64-OK for me in VirtualBox default install lcms-1.19-7.mga3.x86_64 from core release [root@localhost wilcal]# urpmi lcms Package lcms-1.19-7.mga3.x86_64 is already installed Testing my Samsung 26in LCD Monitor using: http://www.youtube.com/watch?v=KSFgolB7HHE http://www.lagom.nl/lcd-test/all_tests.php Color calibration pass Tested using: http://www.webkit.org/perf/sunspider/sunspider.html For JavaScript, test ok. Test ok with Acid 2 & Acid 3 Browser tests http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Tested with Chromium Browser too Remove lcms-1.19-7.mga3.i586 install lcms2-2.5-1.mga3.x86_64 from core updates_testing [root@localhost wilcal]# urpmi lcms2 Package lcms2-2.5-1.mga3.x86_64 is already installed Reboot system Repeat tests above all good. lcms installs as lcms2. Is this a problem? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm William, please add MGA3-64-OK or MGA3-32-OK to the Whiteboard field, if testing is complete on that release. I'll test Mageia 2 shortly. Whiteboard:
MGA2TOO =>
MGA2TOO MGA3-64-OK MGA3-32-OK Testing complete on Mageia 2 i586 and x86_64. Testing by confirming running mtpaint under strace loads liblcms2. Could someone from the sysadmin team push 10816.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2013-0240.html Status:
NEW =>
RESOLVED |