Bug 11057

Summary: Buffer overflows in Little CMS v1.19 (CVE-2013-4276)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4276
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: lcms CVE:
Status comment:

Description Oden Eriksson 2013-08-22 12:15:54 CEST 
https://bugzilla.redhat.com/show_bug.cgi?id=991757
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682

" Pedro Ribeiro 2013-08-04 05:44:38 EDT

Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib@gmail.com).

Regards, 
Pedro"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-22 12:17:13 CEST 
Fixed with the lcms-1.19-buffer-overflows.patch patch by David Walser for all affected packages.
Comment 2 Oden Eriksson 2013-08-22 12:17:52 CEST 
CVE assignment: http://www.openwall.com/lists/oss-security/2013/08/22/3
Comment 3 David Walser 2013-08-22 13:42:21 CEST 
Thanks for filing the bug Oden.  I've revprop'd my commit log entries for when I added that patch and added the CVE, and pushed to updates_testing for mga2 and mga3.

CC: (none) => luigiwalser
Version: 2 => 3
Whiteboard: (none) => MGA2TOO

Comment 4 David Walser 2013-08-22 14:45:32 CEST 
Advisory:
========================

Updated lcms packages fix security vulnerability:

Three buffer overflows in Little CMS version 1.19 that could possibly be
exploited through user input (CVE-2013-4276).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4276
http://www.openwall.com/lists/oss-security/2013/08/21/19
========================

Updated packages in core/updates_testing:
========================
lcms-1.19-6.1.mga2
liblcms1-1.19-6.1.mga2
liblcms-devel-1.19-6.1.mga2
python-lcms-1.19-6.1.mga2
lcms-1.19-7.1.mga3
liblcms1-1.19-7.1.mga3
liblcms-devel-1.19-7.1.mga3
python-lcms-1.19-7.1.mga3

from SRPMS:
lcms-1.19-6.1.mga2.src.rpm
lcms-1.19-7.1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 Dave Hodgins 2013-08-22 22:03:53 CEST 
Advisory 11057.adv uploaded to svn.

CC: (none) => davidwhodgins

Comment 6 claire robinson 2013-08-23 15:35:02 CEST 
Testing complete mga2 32 & 64

Opened various image types in gimp including some raw image files which open in gimp via ufraw.

urpmq --whatrequires liblcms1

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-32-ok mga2-64-ok

Comment 7 claire robinson 2013-08-23 17:27:42 CEST 
Testing complete mga3 32 & 64 same way

Validating.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-08-26 21:52:28 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0260.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED