A security issue (or issues) was fixed in the embedded copy of lcms2 in IcedTea 2.3.10. The fix, or fixes, made their way into lcms2 2.5 upstream. A CVE has been assigned to cover this (CVE-2013-4160): http://openwall.com/lists/oss-security/2013/07/22/1 As noted in our IcedTea (java-1.7.0-openjdk) update, Oden has added the patch for lcms2 in SVN for Mageia 2 and Mageia 3: https://bugs.mageia.org/show_bug.cgi?id=10564#c17 Cauldron is OK because it has been updated to lcms2 2.5. Reproducible: Steps to Reproduce:
In the discussion in the Novell bug, they decided to update OpenSuSE and SLES to lcms2 2.5: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 Does anyone have a strong feeling one way or another about going with the patch Oden has already added to SVN vs. updating to 2.5 for Mageia 2 and Mageia 3?
CC: (none) => fundawang, mageia, oeWhiteboard: (none) => MGA2TOO
Any thoughts anyone??? Ubuntu has issued an advisory for this on July 29: http://www.ubuntu.com/usn/usn-1911-1/
URL: (none) => http://lwn.net/Vulnerabilities/561443/
I bumped it to 2.5 for mga2 and mga3 update_testing. Seems safe enough to me but will require more testing.
Ubuntu issued an update for ghostscript for this: http://www.ubuntu.com/usn/usn-1911-2/ Is my understanding correct that we have ghostscript built against a system lcms2 and our ghostscript packages aren't bundling this code?
Assigning to QA so that testing may begin. Advisory: ======================== Updated lcms2 packages fix security vulnerability: It was discovered that Little CMS did not properly verify certain memory allocations. If a user or automated system using Little CMS were tricked into opening a specially crafted file, an attacker could cause Little CMS to crash (CVE-2013-4160). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4160 http://www.ubuntu.com/usn/usn-1911-1/ ======================== Updated packages in core/updates_testing: ======================== lcms2-2.5-1.mga2 liblcms2_2-2.5-1.mga2 liblcms2-devel-2.5-1.mga2 lcms2-2.5-1.mga3 liblcms2_2-2.5-1.mga3 liblcms2-devel-2.5-1.mga3 from SRPMS: lcms2-2.5-1.mga2.src.rpm lcms2-2.5-1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
(In reply to David Walser from comment #4) > Ubuntu issued an update for ghostscript for this: > http://www.ubuntu.com/usn/usn-1911-2/ > > Is my understanding correct that we have ghostscript built against a system > lcms2 and our ghostscript packages aren't bundling this code? Yes, I broke that out years ago.
Would these two sites be a good way to test this bug: BBC Test Card http://www.youtube.com/watch?v=KSFgolB7HHE The Lagom LCD monitor test pages http://www.lagom.nl/lcd-test/all_tests.php I've used them for years.
CC: (none) => wilcal.int
Good question, I'm not really sure what this library does, but you can see things that use it with urpmq --whatrequires liblcms2_2
Advisory 10816.adv uploaded to svn.
CC: (none) => davidwhodgins
MGA3-32 ok for me in VirtualBox default install lcms-1.19-7.mga3.i586 from core release [root@localhost wilcal]# urpmi lcms Package lcms-1.19-7.mga3.i586 is already installed Testing my Samsung 26in LCD Monitor using: http://www.youtube.com/watch?v=KSFgolB7HHE http://www.lagom.nl/lcd-test/all_tests.php Color calibration pass Tested using: http://www.webkit.org/perf/sunspider/sunspider.html For JavaScript, test ok. Test ok with Acid 2 & Acid 3 Browser tests http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Tested with Chromium Browser too Remove lcms-1.19-7.mga3.i586 install lcms2-2.5-1.mga3.i586 from core updates_testing [root@localhost wilcal]# urpmi lcms2 Package lcms2-2.5-1.mga3.i586 is already installed Reboot system Repeat tests above all good. lcms installs as lcms2. Is this a problem? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
MGA3-64-OK for me in VirtualBox default install lcms-1.19-7.mga3.x86_64 from core release [root@localhost wilcal]# urpmi lcms Package lcms-1.19-7.mga3.x86_64 is already installed Testing my Samsung 26in LCD Monitor using: http://www.youtube.com/watch?v=KSFgolB7HHE http://www.lagom.nl/lcd-test/all_tests.php Color calibration pass Tested using: http://www.webkit.org/perf/sunspider/sunspider.html For JavaScript, test ok. Test ok with Acid 2 & Acid 3 Browser tests http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ Tested with Chromium Browser too Remove lcms-1.19-7.mga3.i586 install lcms2-2.5-1.mga3.x86_64 from core updates_testing [root@localhost wilcal]# urpmi lcms2 Package lcms2-2.5-1.mga3.x86_64 is already installed Reboot system Repeat tests above all good. lcms installs as lcms2. Is this a problem? Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) VirtualBox 4.2.16-1.mga3.x86_64.rpm
William, please add MGA3-64-OK or MGA3-32-OK to the Whiteboard field, if testing is complete on that release. I'll test Mageia 2 shortly.
Whiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK
Testing complete on Mageia 2 i586 and x86_64. Testing by confirming running mtpaint under strace loads liblcms2. Could someone from the sysadmin team push 10816.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0240.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED