A SUSE bug report [1] noted a number of potential flaws in lcms2 that were fixed in version 2.5. The changelog indicates: * Added some checks for non-happy path, mostly failing mallocs which was fixed via https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9, however Stanislav looked at other changes between 2.4 and 2.5 and found some others that were suspect and could have potential security impact: https://github.com/mm2/Little-CMS/commit/b0d5ffd4ad91cf8683ee106f13742db3dc66599a https://github.com/mm2/Little-CMS/commit/06d4557477e7ab3330a24d69af4c67adcac9acdf https://github.com/mm2/Little-CMS/commit/41d222df1bc6188131a8f46c32eab0a4d4cdf1b6 https://github.com/mm2/Little-CMS/commit/b0d5ffd4ad91cf8683ee106f13742db3dc66599a https://github.com/mm2/Little-CMS/commit/9cf2d61867375f867e6e80906a571d222bc2cbf3 https://github.com/mm2/Little-CMS/commit/049d634ea6bf2a9bafbf9ddef18464be9caa567f https://github.com/mm2/Little-CMS/commit/03f784fe8d5eaf8353e8521799a301b8a188388c https://github.com/mm2/Little-CMS/commit/d2d902b9a03583ae482c782b2f243f7e5268a47d https://github.com/mm2/Little-CMS/commit/c606462eda773b1cdd51dcfebd81fc8862652c51 https://github.com/mm2/Little-CMS/commit/65e2f1df3495edc984f7e0d7b7b24e29d851e240 https://github.com/mm2/Little-CMS/commit/886e2f524268efe8a1c3aa838c28e446fda24486 https://github.com/mm2/Little-CMS/commit/5d98f40ed58f6e8eb9aee6dd2d9467bbc8551ee7 It is probably advisable for Fedora to bump to version 2.5 if possible, or apply the above patches to the currently-shipping 2.4 version. [1] https://bugzilla.novell.com/show_bug.cgi?id=826097
This was assigned CVE-2013-4160: http://openwall.com/lists/oss-security/2013/07/22/1
Created lcms2 tracking bugs for this issue: Affects: fedora-all [bug 987241]
This also affects lcms2 in EPEL6.
Created lcms2 tracking bugs for this issue: Affects: epel-6 [bug 1024448]
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4160 to the following vulnerability: Name: CVE-2013-4160 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4160 Assigned: 20130612 Reference: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023895.html Reference: http://openwall.com/lists/oss-security/2013/07/18/7 Reference: http://openwall.com/lists/oss-security/2013/07/22/1 Reference: https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 Reference: https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9 Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to (1) cmsStageAllocLabV2ToV4curves, (2) cmsPipelineDup, (3) cmsAllocProfileSequenceDescription, (4) CurvesAlloc, and (5) cmsnamed.
lcms2-2.7-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.