https://bugzilla.redhat.com/show_bug.cgi?id=991757 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682 " Pedro Ribeiro 2013-08-04 05:44:38 EDT Created attachment 782447 [details] Patch to correct the buffer overflows Description of problem: I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input. I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library. I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not). If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib@gmail.com). Regards, Pedro" Reproducible: Steps to Reproduce:
Fixed with the lcms-1.19-buffer-overflows.patch patch by David Walser for all affected packages.
CVE assignment: http://www.openwall.com/lists/oss-security/2013/08/22/3
Thanks for filing the bug Oden. I've revprop'd my commit log entries for when I added that patch and added the CVE, and pushed to updates_testing for mga2 and mga3.
CC: (none) => luigiwalserVersion: 2 => 3Whiteboard: (none) => MGA2TOO
Advisory: ======================== Updated lcms packages fix security vulnerability: Three buffer overflows in Little CMS version 1.19 that could possibly be exploited through user input (CVE-2013-4276). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4276 http://www.openwall.com/lists/oss-security/2013/08/21/19 ======================== Updated packages in core/updates_testing: ======================== lcms-1.19-6.1.mga2 liblcms1-1.19-6.1.mga2 liblcms-devel-1.19-6.1.mga2 python-lcms-1.19-6.1.mga2 lcms-1.19-7.1.mga3 liblcms1-1.19-7.1.mga3 liblcms-devel-1.19-7.1.mga3 python-lcms-1.19-7.1.mga3 from SRPMS: lcms-1.19-6.1.mga2.src.rpm lcms-1.19-7.1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Advisory 11057.adv uploaded to svn.
CC: (none) => davidwhodgins
Testing complete mga2 32 & 64 Opened various image types in gimp including some raw image files which open in gimp via ufraw. urpmq --whatrequires liblcms1
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-32-ok mga2-64-ok
Testing complete mga3 32 & 64 same way Validating. Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0260.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED