[Secure-testing-team] Bug#718682: liblcms1: Buffer overflows in Little CMS v1.19
Pedro R
pedrib at gmail.com
Sun Aug 4 09:35:46 UTC 2013
Package: liblcms1
Version: 1.19
Severity: grave
Tags: upstream security patch
Justification: user security hole
I have found three (lame) buffer overflows in lcms-1.19. The problem lies in
the use of dangerous functions like scanf and sprintf to handle user input.
I have contacted the Little CMS developer and his answer was that "people
concerned about security should update to Little CMS v2". To be honest I think
it's a reasonable answer since he has stopped supporting lcms-1 in 2009.
However this appears to be a package that is still widely in use in several
distributions, and included in other software as a library.
I am attaching patches here to address the issue. These have been compile
tested but I did not do any test beyond that. Please note that I am sending
this via a mobile device and the patches might be mangled (hopefully not).
If you have any questions please contact me back. If you do issue an advisory,
please credit Pedro Ribeiro (pedrib at gmail.com).
Note that I have contacted the security team and was instructed to report this
bug here.
Regards,
Pedro
-- System Information:
Debian Release: 7.1
APT prefers stable
APT policy: (750, 'stable'), (650, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.7.1-botto-secfixes3-grsec+ (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lcms-1.19-b0f.patch
Type: text/x-diff
Size: 2888 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20130804/62db0c02/attachment-0001.patch>
More information about the Secure-testing-team
mailing list