Bug 1367357 (CVE-2016-10165)

Summary: CVE-2016-10165 lcms2: Out-of-bounds read in Type_MLU_Read()
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ahughes, andreas.bierfert, dbhole, dmcphers, dmoppert, fedora, hobbes1069, jialiu, jokerman, jvanek, kseifried, kwizart, lmeyer, mmccomas, rdieter, rhughes, security-response-team, slawomir, tiwillia, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-02 04:25:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1367358, 1367359, 1367360, 1367361, 1503325, 1503326, 1503327, 1503328, 1503329, 1503330, 1503331, 1503332, 1515469, 1515470, 1515471, 1515472, 1516384, 1516385, 1516386, 1516387    
Bug Blocks: 1368025    

Description Adam Mariš 2016-08-16 09:25:28 UTC 
An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile.

Upstream patch:

https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2

CVE request:

http://seclists.org/oss-sec/2016/q3/288
Comment 1 Adam Mariš 2016-08-16 09:26:27 UTC 
Created mingw-lcms2 tracking bugs for this issue:

Affects: fedora-all [bug 1367359]
Comment 2 Adam Mariš 2016-08-16 09:26:37 UTC 
Created lcms2 tracking bugs for this issue:

Affects: fedora-all [bug 1367358]
Affects: epel-5 [bug 1367360]
Affects: epel-6 [bug 1367361]
Comment 3 Fedora Update System 2016-08-27 10:24:14 UTC 
lcms2-2.8-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2016-08-27 15:18:17 UTC 
lcms2-2.8-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2016-09-04 19:17:30 UTC 
lcms2-2.8-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-09-04 20:48:00 UTC 
lcms2-2.8-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-09-04 22:51:58 UTC 
lcms2-2.8-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Nicolas Chauvet (kwizart) 2016-12-01 14:37:45 UTC 
Cant we close this bug ?
Comment 9 Adam Mariš 2016-12-01 14:42:01 UTC 
(In reply to Nicolas Chauvet (kwizart) from comment #8)
> Cant we close this bug ?

No, RHEL packages weren't handled yet.
Comment 13 Andrej Nemec 2017-01-26 09:12:31 UTC 
CVE assignment:

http://seclists.org/oss-sec/2017/q1/197
Comment 14 Doran Moppert 2017-02-02 04:23:45 UTC 
This issue was fixed for java-1.8.0-openjdk in Red Hat Enterprise Linux:

https://rhn.redhat.com/errata/RHSA-2016-2079.html

This issue was fixed for java-1.7.0-openjdk in Red Hat Enterprise Linux:

https://rhn.redhat.com/errata/RHSA-2016-2658.html
Comment 15 Tomas Hoger 2017-10-12 20:36:45 UTC 
(In reply to Adam Mariš from comment #0)
> Upstream patch:
> 
> https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2

Further tweak of the fix:

https://github.com/mm2/Little-CMS/commit/d41071eb8cfea7aa10a9262c12bd95d5d9d81c8f
Comment 18 Tomas Hoger 2017-10-18 09:51:03 UTC 
OpenJDK-8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/27273bbb711a
Comment 19 errata-xmlrpc 2017-10-23 07:47:33 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:2999 https://access.redhat.com/errata/RHSA-2017:2999
Comment 20 errata-xmlrpc 2017-10-24 12:17:40 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:3046 https://access.redhat.com/errata/RHSA-2017:3046
Comment 23 errata-xmlrpc 2017-11-27 18:05:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:3264 https://access.redhat.com/errata/RHSA-2017:3264
Comment 24 errata-xmlrpc 2017-11-28 20:40:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:3267 https://access.redhat.com/errata/RHSA-2017:3267
Comment 25 errata-xmlrpc 2017-11-28 20:43:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2017:3268 https://access.redhat.com/errata/RHSA-2017:3268
Comment 26 errata-xmlrpc 2017-12-13 16:49:11 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453