" Pedro Ribeiro 2013-08-04 05:44:38 EDT
Created attachment 782447 [details]
Patch to correct the buffer overflows
Description of problem:
I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.
I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.
I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).
If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (email@example.com).
Steps to Reproduce:
Fixed with the lcms-1.19-buffer-overflows.patch patch by David Walser for all affected packages.
CVE assignment: http://www.openwall.com/lists/oss-security/2013/08/22/3
Thanks for filing the bug Oden. I've revprop'd my commit log entries for when I added that patch and added the CVE, and pushed to updates_testing for mga2 and mga3.
Updated lcms packages fix security vulnerability:
Three buffer overflows in Little CMS version 1.19 that could possibly be
exploited through user input (CVE-2013-4276).
Updated packages in core/updates_testing:
Advisory 11057.adv uploaded to svn.
Testing complete mga2 32 & 64
Opened various image types in gimp including some raw image files which open in gimp via ufraw.
urpmq --whatrequires liblcms1
Testing complete mga3 32 & 64 same way
Could sysadmin please push from 2 & 3 core/updates_testing to updates