Fedora has issued an advisory today (August 24): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XXIGDG5IN54AHOOKCR6EFRN6MGRIFLXY/ The issue is fixed upstream in 2.8 (already in Cauldron). Patched package uploaded for Mageia 5. Advisory: ======================== Updated lcms2 packages fix security vulnerability: An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile (rhbz#1367357). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XXIGDG5IN54AHOOKCR6EFRN6MGRIFLXY/ ======================== Updated packages in core/updates_testing: ======================== lcms2-2.6-3.1.mga5 liblcms2_2-2.6-3.1.mga5 liblcms2-devel-2.6-3.1.mga5 from lcms2-2.6-3.1.mga5.src.rpm
Just testing that the commands such as jpgicc2 snow-12hours.jpg tst.jpg work and the output is viewable.
Keywords: (none) => validated_updateWhiteboard: (none) => advisory, MGA5-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0303.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE request: http://openwall.com/lists/oss-security/2017/01/23/1
(In reply to David Walser from comment #3) > CVE request: > http://openwall.com/lists/oss-security/2017/01/23/1 CVE-2016-10165: http://openwall.com/lists/oss-security/2017/01/25/14
Summary: lcms2 new out-of-bounds read security issue => lcms2 new out-of-bounds read security issue (CVE-2016-10165)