Bug 985137 (CVE-2013-4160)

Summary: CVE-2013-4160 Little CMS: multiple potential flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hobbes1069, rdieter, rhughes, twaugh
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lcms2 2.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-26 07:37:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 985140, 987241, 1024448    
Bug Blocks: 985138    

Description Vincent Danen 2013-07-16 22:28:26 UTC 
A SUSE bug report [1] noted a number of potential flaws in lcms2 that were fixed in version 2.5.  The changelog indicates:

* Added some checks for non-happy path, mostly failing mallocs

which was fixed via https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9, however Stanislav looked at other changes between 2.4 and 2.5 and found some others that were suspect and could have potential security impact:

https://github.com/mm2/Little-CMS/commit/b0d5ffd4ad91cf8683ee106f13742db3dc66599a
https://github.com/mm2/Little-CMS/commit/06d4557477e7ab3330a24d69af4c67adcac9acdf
https://github.com/mm2/Little-CMS/commit/41d222df1bc6188131a8f46c32eab0a4d4cdf1b6
https://github.com/mm2/Little-CMS/commit/b0d5ffd4ad91cf8683ee106f13742db3dc66599a
https://github.com/mm2/Little-CMS/commit/9cf2d61867375f867e6e80906a571d222bc2cbf3
https://github.com/mm2/Little-CMS/commit/049d634ea6bf2a9bafbf9ddef18464be9caa567f
https://github.com/mm2/Little-CMS/commit/03f784fe8d5eaf8353e8521799a301b8a188388c
https://github.com/mm2/Little-CMS/commit/d2d902b9a03583ae482c782b2f243f7e5268a47d
https://github.com/mm2/Little-CMS/commit/c606462eda773b1cdd51dcfebd81fc8862652c51
https://github.com/mm2/Little-CMS/commit/65e2f1df3495edc984f7e0d7b7b24e29d851e240
https://github.com/mm2/Little-CMS/commit/886e2f524268efe8a1c3aa838c28e446fda24486
https://github.com/mm2/Little-CMS/commit/5d98f40ed58f6e8eb9aee6dd2d9467bbc8551ee7

It is probably advisable for Fedora to bump to version 2.5 if possible, or apply the above patches to the currently-shipping 2.4 version.


[1] https://bugzilla.novell.com/show_bug.cgi?id=826097
Comment 2 Vincent Danen 2013-07-22 18:39:39 UTC 
This was assigned CVE-2013-4160:

http://openwall.com/lists/oss-security/2013/07/22/1
Comment 3 Huzaifa S. Sidhpurwala 2013-07-23 04:16:11 UTC 
Created lcms2 tracking bugs for this issue:

Affects: fedora-all [bug 987241]
Comment 5 Vincent Danen 2013-10-29 16:38:46 UTC 
This also affects lcms2 in EPEL6.
Comment 6 Vincent Danen 2013-10-29 16:39:31 UTC 
Created lcms2 tracking bugs for this issue:

Affects: epel-6 [bug 1024448]
Comment 8 Vincent Danen 2014-01-23 02:49:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4160 to
the following vulnerability:

Name: CVE-2013-4160
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4160
Assigned: 20130612
Reference: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023895.html
Reference: http://openwall.com/lists/oss-security/2013/07/18/7
Reference: http://openwall.com/lists/oss-security/2013/07/22/1
Reference: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9
Reference: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9

Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly other
products, allows remote attackers to cause a denial of service (NULL
pointer dereference and crash) via vectors related to (1)
cmsStageAllocLabV2ToV4curves, (2) cmsPipelineDup, (3)
cmsAllocProfileSequenceDescription, (4) CurvesAlloc, and (5) cmsnamed.
Comment 9 Fedora Update System 2016-03-25 21:52:30 UTC 
lcms2-2.7-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.