Red Hat Bugzilla – Bug 991757
lcms: multiple buffer overflows
Last modified: 2015-07-31 07:12:04 EDT
Created attachment 782447 [details]
Patch to correct the buffer overflows
Description of problem:
I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.
I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.
I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).
If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (email@example.com).
Version-Release number of selected component (if applicable):
Created attachment 782955 [details]
The proper patch that fixes the issue
Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.
Created attachment 783274 [details]
Yet another version of the patch
Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.
Thanks for this, Pedro. I'm going to turn this into an SRT bug.
Bah, this already had a bug.
*** This bug has been marked as a duplicate of bug 992975 ***