Bug 991757 - lcms: multiple buffer overflows
Summary: lcms: multiple buffer overflows
Keywords:
Status: CLOSED DUPLICATE of bug 992975
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: Embargoed1000074
TreeView+ depends on / blocked
 
Reported: 2013-08-04 09:44 UTC by Pedro Ribeiro
Modified: 2019-09-29 13:06 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-22 15:45:10 UTC

Attachments (Terms of Use)
Patch to correct the buffer overflows (2.82 KB, patch)
2013-08-04 09:44 UTC, Pedro Ribeiro 		no flags Details | Diff
The proper patch that fixes the issue (1.47 KB, patch)
2013-08-05 18:00 UTC, Pedro Ribeiro 		no flags Details | Diff
Yet another version of the patch (1.81 KB, patch)
2013-08-06 11:40 UTC, Pedro Ribeiro 		no flags Details | Diff
Show Obsolete (2) View All


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 718682 0 None None None Never

Description Pedro Ribeiro 2013-08-04 09:44:38 UTC 
Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib).

Regards, 
Pedro

Version-Release number of selected component (if applicable):
1.19

Additional info:
Patch attached
Comment 2 Pedro Ribeiro 2013-08-05 18:00:07 UTC 
Created attachment 782955 [details]
The proper patch that fixes the issue

Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.
Comment 4 Pedro Ribeiro 2013-08-06 11:40:15 UTC 
Created attachment 783274 [details]
Yet another version of the patch

Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.
Comment 5 Vincent Danen 2013-08-22 15:20:27 UTC 
Thanks for this, Pedro.  I'm going to turn this into an SRT bug.
Comment 7 Vincent Danen 2013-08-22 15:45:10 UTC 
Bah, this already had a bug.

*** This bug has been marked as a duplicate of bug 992975 ***
Note You need to log in before you can comment on or make changes to this bug.