Bug 991757

Summary: lcms: multiple buffer overflows
Product: [Other] Security Response Reporter: Pedro Ribeiro <pedrib>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas.bierfert, bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkurik, kwizart, lmeyer, rhughes, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-22 15:45:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1000074    
Attachments:
Description Flags
Patch to correct the buffer overflows
none
The proper patch that fixes the issue
none
Yet another version of the patch none

Description Pedro Ribeiro 2013-08-04 09:44:38 UTC
Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib).

Regards, 
Pedro

Version-Release number of selected component (if applicable):
1.19

Additional info:
Patch attached

Comment 2 Pedro Ribeiro 2013-08-05 18:00:07 UTC
Created attachment 782955 [details]
The proper patch that fixes the issue

Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.

Comment 4 Pedro Ribeiro 2013-08-06 11:40:15 UTC
Created attachment 783274 [details]
Yet another version of the patch

Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.

Comment 5 Vincent Danen 2013-08-22 15:20:27 UTC
Thanks for this, Pedro.  I'm going to turn this into an SRT bug.

Comment 7 Vincent Danen 2013-08-22 15:45:10 UTC
Bah, this already had a bug.

*** This bug has been marked as a duplicate of bug 992975 ***