Bug 991757

Summary: lcms: multiple buffer overflows
Product: [Other] Security Response Reporter: Pedro Ribeiro <pedrib>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas.bierfert, bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkurik, kwizart, lmeyer, rhughes, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20130804,reported=20130804,source=researcher,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,fedora-all/lcms=affected,rhel-5/lcms=affected,rhel-6/lcms=affected,rhel-7/lcms=affected,openshift-enterprise-1/lcms=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-22 11:45:10 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 1000074    
Attachments:
Description Flags
Patch to correct the buffer overflows
none
The proper patch that fixes the issue
none
Yet another version of the patch none

Description Pedro Ribeiro 2013-08-04 05:44:38 EDT
Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib@gmail.com).

Regards, 
Pedro

Version-Release number of selected component (if applicable):
1.19

Additional info:
Patch attached
Comment 2 Pedro Ribeiro 2013-08-05 14:00:07 EDT
Created attachment 782955 [details]
The proper patch that fixes the issue

Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.
Comment 4 Pedro Ribeiro 2013-08-06 07:40:15 EDT
Created attachment 783274 [details]
Yet another version of the patch

Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.
Comment 5 Vincent Danen 2013-08-22 11:20:27 EDT
Thanks for this, Pedro.  I'm going to turn this into an SRT bug.
Comment 7 Vincent Danen 2013-08-22 11:45:10 EDT
Bah, this already had a bug.

*** This bug has been marked as a duplicate of bug 992975 ***