Bug 23533 - lcms2 new security issue CVE-2018-16435
Summary: lcms2 new security issue CVE-2018-16435
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-09-05 23:02 CEST by David Walser
Modified: 2018-09-21 18:27 CEST (History)
8 users (show)

See Also:
Source RPM: lcms2-2.8-2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-09-05 23:02:46 CEST
Debian has issued an advisory on September 4:
https://www.debian.org/security/2018/dsa-4284

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-09-05 23:02:52 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-09-08 13:09:56 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing a recent committer, Stig alias kekePower. Also CC'ing mikala, who once imported this package, just in case ;-)

@ mikala

Just in case you find time again to contribute a little: if your password wasn't reset since the end of February, then a sysadmin needs to reset it first.
If the ssh key that you used to commit is a dsa key, then a sysadmin needs to replace your public in identity with the public rsa key that you provide to him.

You can privately mail all our sysadmins by sending a mail to sysadmin AT group DOT mageia DOT org :-D

CC: (none) => balcaen.john, marja11, smelror

Comment 2 Marja Van Waes 2018-09-08 14:31:06 CEST
(In reply to Marja Van Waes from comment #1)
> Assigning to all packagers collectively, since there is no registered
> maintainer for this package.
> 
New attempt :-p

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2018-09-10 09:52:43 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile. (CVE-2018-16435)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16435
https://www.debian.org/security/2018/dsa-4284
========================

Updated packages in core/updates_testing:
========================
lcms2-2.8-2.1.mga6
lib(64)lcms2_2-2.8-2.1.mga6
lib(64)lcms2-devel-2.8-2.1.mga6

from SRPMS:
lcms2-2.8-2.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: lcms2-2.9-2.mga7.src.rpm => lcms2-2.8-2.mga6.src.rpm
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 4 Len Lawrence 2018-09-11 12:44:23 CEST
Mageia 6, x86_64

Before update:

CVE-2018-16435
https://github.com/mm2/Little-CMS/issues/171
There is a 6-line C program and dataset here which should trigger an abort when run within the ASAN framework.
It compiles OK without ASAN but
$ gcc -o trigger -llcms2 -fsanitize=address trigger.c
/usr/bin/ld: cannot find libasan_preinit.o: No such file or directory
/usr/bin/ld: cannot find -lasan
collect2: error: ld returned 1 exit status

A search through lib64 confirms that the asan librar{y,ies} are missing.
Installed clang and tried
$ clang -o trigger -llcms2 -fsanitize=address trigger.c
which worked.
$ ASAN_OPTIONS=log_path=lcms2:verbosity=1 ./trigger
which created a log file: lcms2.20581
The contents indicate that ASAN is not being used correctly - mea culpa.
So no conclusion to be drawn from this.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2018-09-11 20:50:22 CEST
Follow-on from comment 4.

Updated the three packages.

lcms2 comes with a set of utilities for applying colour management profiles;
jpgicc2  linkicc2  psicc2  tificc2  transicc2

$ jpgicc2 --help
little cms ICC profile applier for JPEG - v3.2 [LittleCMS 2.08]

usage: jpgicc [flags] input.jpg output.jpg

flags:

-v - Verbose
-i<profile> - Input profile (defaults to sRGB)
-o<profile> - Output profile (defaults to sRGB)
-t<n> rendering intent:

	0 - Perceptual
	1 - Relative colorimetric
	2 - Saturation
	3 - Absolute colorimetric
	10 - Perceptual preserving black ink
	11 - Relative colorimetric preserving black ink
	12 - Saturation preserving black ink
	13 - Perceptual preserving black plane
	14 - Relative colorimetric preserving black plane
	15 - Saturation preserving black plane

-b - Black point compensation
-d<0..1> - Observer adaptation state (abs.col. only)
-n - Ignore embedded profile
-e - Embed destination profile
-s<new profile> - Save embedded profile as <new profile>

-c<0,1,2,3> - Precalculates transform (0=Off, 1=Normal, 2=Hi-res, 3=LoRes) [defaults to 1]

-p<profile> - Soft proof profile
-m<0,1,2,3> - SoftProof intent
-g - Marks out-of-gamut colors on softproof
-!<r>,<g>,<b> - Out-of-gamut marker channel values

-q<0..100> - Output JPEG quality

-h<0,1,2,3> - More help

$ jpgicc2 -h2
little cms ICC profile applier for JPEG - v3.2 [LittleCMS 2.08]
Built-in profiles:
	*Lab2  -- D50-based v2 CIEL*a*b
	*Lab4  -- D50-based v4 CIEL*a*b
	*Lab   -- D50-based v4 CIEL*a*b
	*XYZ   -- CIE XYZ (PCS)
	*sRGB  -- sRGB color space
	*Gray22 - Monochrome of Gamma 2.2
	*Gray30 - Monochrome of Gamma 3.0
	*null   - Monochrome black for all input
	*Lin2222- CMYK linearization of gamma 2.2 on each channel

Used a built-in profile to generate a high quality greyscale image from an original colour image.
$ identify JessicaAlba.jpg
JessicaAlba.jpg JPEG 600x448 600x448+0+0 8-bit sRGB 41342B 0.000u 0:00.000
$ jpgicc2 -i*sRGB -o*Gray22 -q100 JessicaAlba.jpg alba_1.jpg


Collected some profiles from digikam and scribus directories:
$ ls *.icm
GenericCMYK.icm  prophoto.icm  srgb-d65.icm  sRGB.icm  widegamut.icm

$ jpgicc2 -i*sRGB -owidegamut.icm -q100 JessicaAlba.jpg alba_2.jpg
This generated an image with less pronounced colours with a slight grey-green cast.
$ jpgicc2 -i*sRGB -oprophoto.icm -q100 JessicaAlba.jpg alba_3.jpg
The resulting image had even less colour.

$ identify alba*
alba_0.jpg JPEG 600x448 600x448+0+0 8-bit Gray 256c 107642B 0.000u 0:00.000
alba_1.jpg JPEG 600x448 600x448+0+0 8-bit Gray 256c 107642B 0.000u 0:00.000
alba_2.jpg JPEG 600x448 600x448+0+0 8-bit sRGB 330049B 0.000u 0:00.000
alba_3.jpg JPEG 600x448 600x448+0+0 8-bit sRGB 322455B 0.000u 0:00.000

The help for the other tools is similar so it looks like they all work in the same way.

$ identify GlenShiel.tif 
GlenShiel.tif TIFF 2304x1728 2304x1728+0+0 8-bit sRGB 11.3909MiB 0.000u 0:00.000
$ tificc2 -i*sRGB -o*Gray30 GlenShiel.tif glenshiel.tiff
$ identify glenshiel.tiff
glenshiel.tiff TIFF 2304x1728 2304x1728+0+0 8-bit Grayscale Gray 3.81026MiB 0.000u 0:00.000

The result is a brightened greyscale image.

Could not figure out how to use psicc2.  It does not process PostScript files but generates one according to the input parameters, I think.
However, this
$ psicc2 -i*sRGB -t1 test.ps
generates a postscript file which according to the help is a Colour Space Array.
It looks legitimate.
$ cat test.ps
[ /CIEBasedABC
<<
/DecodeABC [ { dup 0.0 lt { pop 0.0 } if dup 1.0 gt { pop 1.0 } if  [0 1 2 4 5 6 7 9 10 11 12 14 15 16 17 19 20 21 22 24 25 26 27 28 30 31 32 33 35 36 37 38 40 41 42 43 45 46 47 48 50 51 52 53 55 56 57 58 59 61 62 63 64 66 67 68 69 71 72 73 74 76 77 78 79 81 82 83 84 85 87 88 89 90 92 93 94 95 97 98 99 100 102 103 104
[...]
65353 65389 65426 65462 65499 65535 ] dup length 1 sub 3 -1 roll mul dup dup floor cvi exch ceiling cvi 3 index exch get 4 -1 roll 3 -1 roll get dup 3 1 roll sub 3 -1 roll dup floor cvi sub mul add 65535 div  } bind dup dup ]
/MatrixABC [ 0.436041 0.222485 0.013920 0.385113 0.716905 0.097067 0.143046 0.060610 0.713913 ]
/RangeLMN [ 0.0 0.9642 0.0 1.0000 0.0 0.8249 ]
/BlackPoint [0.000000 0.000000 0.000000]
/WhitePoint [0.964200 1.000000 0.824900]
/RenderingIntent (Perceptual)
>>
]

Using the -o option would generate a Colour Rendering Dictionary.

This package looks to be working for 64-bits.

Whiteboard: (none) => MGA6-64-OK

Comment 6 Thomas Andrews 2018-09-19 03:40:23 CEST
After Len's extensive test, I see no reason to avoid validating this. Suggested advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2018-09-21 17:13:05 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2018-09-21 18:27:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0387.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.