Bug 10816 - lcms2 new security issue CVE-2013-4160
: lcms2 new security issue CVE-2013-4160
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/561443/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-6...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-22 19:01 CEST by David Walser
Modified: 2013-08-09 19:31 CEST (History)
7 users (show)

See Also:
Source RPM: lcms2-2.4-3.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-07-22 19:01:27 CEST
A security issue (or issues) was fixed in the embedded copy of lcms2 in IcedTea 2.3.10.  The fix, or fixes, made their way into lcms2 2.5 upstream.

A CVE has been assigned to cover this (CVE-2013-4160):
http://openwall.com/lists/oss-security/2013/07/22/1

As noted in our IcedTea (java-1.7.0-openjdk) update, Oden has added the patch for lcms2 in SVN for Mageia 2 and Mageia 3:
https://bugs.mageia.org/show_bug.cgi?id=10564#c17

Cauldron is OK because it has been updated to lcms2 2.5.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-07-22 19:03:01 CEST
In the discussion in the Novell bug, they decided to update OpenSuSE and SLES to lcms2 2.5:
https://bugzilla.novell.com/show_bug.cgi?id=826097#c9

Does anyone have a strong feeling one way or another about going with the patch Oden has already added to SVN vs. updating to 2.5 for Mageia 2 and Mageia 3?
Comment 2 David Walser 2013-07-30 19:10:49 CEST
Any thoughts anyone???

Ubuntu has issued an advisory for this on July 29:
http://www.ubuntu.com/usn/usn-1911-1/
Comment 3 Oden Eriksson 2013-08-01 10:27:40 CEST
I bumped it to 2.5 for mga2 and mga3 update_testing. Seems safe enough to me but will require more testing.
Comment 4 David Walser 2013-08-01 20:38:08 CEST
Ubuntu issued an update for ghostscript for this:
http://www.ubuntu.com/usn/usn-1911-2/

Is my understanding correct that we have ghostscript built against a system lcms2 and our ghostscript packages aren't bundling this code?
Comment 5 David Walser 2013-08-01 20:49:24 CEST
Assigning to QA so that testing may begin.

Advisory:
========================

Updated lcms2 packages fix security vulnerability:

It was discovered that Little CMS did not properly verify certain memory
allocations. If a user or automated system using Little CMS were tricked
into opening a specially crafted file, an attacker could cause Little CMS
to crash (CVE-2013-4160).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4160
http://www.ubuntu.com/usn/usn-1911-1/
========================

Updated packages in core/updates_testing:
========================
lcms2-2.5-1.mga2
liblcms2_2-2.5-1.mga2
liblcms2-devel-2.5-1.mga2
lcms2-2.5-1.mga3
liblcms2_2-2.5-1.mga3
liblcms2-devel-2.5-1.mga3

from SRPMS:
lcms2-2.5-1.mga2.src.rpm
lcms2-2.5-1.mga3.src.rpm
Comment 6 Oden Eriksson 2013-08-02 08:53:44 CEST
(In reply to David Walser from comment #4)
> Ubuntu issued an update for ghostscript for this:
> http://www.ubuntu.com/usn/usn-1911-2/
> 
> Is my understanding correct that we have ghostscript built against a system
> lcms2 and our ghostscript packages aren't bundling this code?

Yes, I broke that out years ago.
Comment 7 William Kenney 2013-08-05 17:10:24 CEST
Would these two sites be a good way to test this bug:

BBC Test Card
http://www.youtube.com/watch?v=KSFgolB7HHE

The Lagom LCD monitor test pages
http://www.lagom.nl/lcd-test/all_tests.php

I've used them for years.
Comment 8 David Walser 2013-08-05 19:30:57 CEST
Good question, I'm not really sure what this library does, but you can see things that use it with urpmq --whatrequires liblcms2_2
Comment 9 Dave Hodgins 2013-08-06 03:05:18 CEST
Advisory 10816.adv uploaded to svn.
Comment 10 William Kenney 2013-08-06 06:12:17 CEST
MGA3-32 ok for me

in VirtualBox

default install lcms-1.19-7.mga3.i586 from core release
[root@localhost wilcal]# urpmi lcms
Package lcms-1.19-7.mga3.i586 is already installed

Testing my Samsung 26in LCD Monitor using:
http://www.youtube.com/watch?v=KSFgolB7HHE
http://www.lagom.nl/lcd-test/all_tests.php
Color calibration pass
Tested using:
http://www.webkit.org/perf/sunspider/sunspider.html
For JavaScript, test ok.
Test ok with Acid 2 & Acid 3 Browser tests
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
Tested with Chromium Browser too

Remove lcms-1.19-7.mga3.i586

install lcms2-2.5-1.mga3.i586 from core updates_testing
[root@localhost wilcal]# urpmi lcms2
Package lcms2-2.5-1.mga3.i586 is already installed
Reboot system
Repeat tests above all good.
lcms installs as lcms2. Is this a problem?

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 11 William Kenney 2013-08-06 06:12:46 CEST
MGA3-64-OK for me

in VirtualBox

default install lcms-1.19-7.mga3.x86_64 from core release
[root@localhost wilcal]# urpmi lcms
Package lcms-1.19-7.mga3.x86_64 is already installed

Testing my Samsung 26in LCD Monitor using:
http://www.youtube.com/watch?v=KSFgolB7HHE
http://www.lagom.nl/lcd-test/all_tests.php
Color calibration pass
Tested using:
http://www.webkit.org/perf/sunspider/sunspider.html
For JavaScript, test ok.
Test ok with Acid 2 & Acid 3 Browser tests
http://www.webstandards.org/files/acid2/test.html#top
http://acid3.acidtests.org/
Tested with Chromium Browser too

Remove lcms-1.19-7.mga3.i586

install lcms2-2.5-1.mga3.x86_64 from core updates_testing
[root@localhost wilcal]# urpmi lcms2
Package lcms2-2.5-1.mga3.x86_64 is already installed
Reboot system
Repeat tests above all good.
lcms installs as lcms2. Is this a problem?

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 12 Dave Hodgins 2013-08-06 07:18:51 CEST
William, please add MGA3-64-OK or MGA3-32-OK to the Whiteboard field, if
testing is complete on that release.

I'll test Mageia 2 shortly.
Comment 13 Dave Hodgins 2013-08-06 07:36:12 CEST
Testing complete on Mageia 2 i586 and x86_64.

Testing by confirming running mtpaint under strace loads liblcms2.

Could someone from the sysadmin team push 10816.adv to updates.
Comment 14 Thomas Backlund 2013-08-09 19:31:33 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0240.html

Note You need to log in before you can comment on or make changes to this bug.