The ReadEmbeddedTextTag in src/cmsio1.c did not properly check amount of data read from the input file to the buffer provided as one of its arguments. Value read from the file was used as an upper bound without any validation. This issue was fixed upstream in 1.16. Upstream CVS commit: http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsio1.c?r1=1.33&r2=1.34 (some of the previous changes may be needed for 1.15) References: http://www.openwall.com/lists/oss-security/2008/11/28/3
Created attachment 325024 [details] Patch used in SuSE security updates This was extracted from SuSE liblcms-1.15-32.src.rpm. Original name of the patch was lcms-CVE-2007-2741.patch, but CVE-2007-2741 is a different issue that got fixed upstream in 1.15.
Affected lcms versions are currently in Red Hat Enterprise Linux 5 and EPEL 4 (both based on upstream 1.15).
CVE id CVE-2008-5316 was assigned to this issue: Buffer overflow in the ReadEmbeddedTextTag function in src/cmsio1.c in Little cms color engine (aka lcms) before 1.16 allows attackers to have an unknown impact via vectors related to a length parameter inconsistency involving the contents of "the input file," a different vulnerability than CVE-2007-2741.
https://www.redhat.com/security/data/cve/CVE-2008-5316.html