Bug 11057 - Buffer overflows in Little CMS v1.19 (CVE-2013-4276)
: Buffer overflows in Little CMS v1.19 (CVE-2013-4276)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://cve.mitre.org/cgi-bin/cvename....
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-22 12:15 CEST by Oden Eriksson
Modified: 2013-08-26 21:52 CEST (History)
4 users (show)

See Also:
Source RPM: lcms
CVE:


Attachments

Description Oden Eriksson 2013-08-22 12:15:54 CEST
https://bugzilla.redhat.com/show_bug.cgi?id=991757
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682

" Pedro Ribeiro 2013-08-04 05:44:38 EDT

Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib@gmail.com).

Regards, 
Pedro"

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-22 12:17:13 CEST
Fixed with the lcms-1.19-buffer-overflows.patch patch by David Walser for all affected packages.
Comment 2 Oden Eriksson 2013-08-22 12:17:52 CEST
CVE assignment: http://www.openwall.com/lists/oss-security/2013/08/22/3
Comment 3 David Walser 2013-08-22 13:42:21 CEST
Thanks for filing the bug Oden.  I've revprop'd my commit log entries for when I added that patch and added the CVE, and pushed to updates_testing for mga2 and mga3.
Comment 4 David Walser 2013-08-22 14:45:32 CEST
Advisory:
========================

Updated lcms packages fix security vulnerability:

Three buffer overflows in Little CMS version 1.19 that could possibly be
exploited through user input (CVE-2013-4276).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4276
http://www.openwall.com/lists/oss-security/2013/08/21/19
========================

Updated packages in core/updates_testing:
========================
lcms-1.19-6.1.mga2
liblcms1-1.19-6.1.mga2
liblcms-devel-1.19-6.1.mga2
python-lcms-1.19-6.1.mga2
lcms-1.19-7.1.mga3
liblcms1-1.19-7.1.mga3
liblcms-devel-1.19-7.1.mga3
python-lcms-1.19-7.1.mga3

from SRPMS:
lcms-1.19-6.1.mga2.src.rpm
lcms-1.19-7.1.mga3.src.rpm
Comment 5 Dave Hodgins 2013-08-22 22:03:53 CEST
Advisory 11057.adv uploaded to svn.
Comment 6 claire robinson 2013-08-23 15:35:02 CEST
Testing complete mga2 32 & 64

Opened various image types in gimp including some raw image files which open in gimp via ufraw.

urpmq --whatrequires liblcms1
Comment 7 claire robinson 2013-08-23 17:27:42 CEST
Testing complete mga3 32 & 64 same way

Validating.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2013-08-26 21:52:28 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0260.html

Note You need to log in before you can comment on or make changes to this bug.