Red Hat Bugzilla – Full Text Bug Listing
|Summary:||lcms: multiple buffer overflows|
|Product:||[Other] Security Response||Reporter:||Pedro Ribeiro <pedrib>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED DUPLICATE||QA Contact:|
|Version:||unspecified||CC:||andreas.bierfert, bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkurik, kwizart, lmeyer, rhughes, vkrizan|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-08-22 11:45:10 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Pedro Ribeiro 2013-08-04 05:44:38 EDT
Created attachment 782447 [details] Patch to correct the buffer overflows Description of problem: I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input. I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library. I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not). If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (email@example.com). Regards, Pedro Version-Release number of selected component (if applicable): 1.19 Additional info: Patch attached
Comment 2 Pedro Ribeiro 2013-08-05 14:00:07 EDT
Created attachment 782955 [details] The proper patch that fixes the issue Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.
Comment 4 Pedro Ribeiro 2013-08-06 07:40:15 EDT
Created attachment 783274 [details] Yet another version of the patch Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.
Comment 5 Vincent Danen 2013-08-22 11:20:27 EDT
Thanks for this, Pedro. I'm going to turn this into an SRT bug.