Bug 991757 - lcms: multiple buffer overflows
lcms: multiple buffer overflows
Status: CLOSED DUPLICATE of bug 992975
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1000074
  Show dependency treegraph
Reported: 2013-08-04 05:44 EDT by Pedro Ribeiro
Modified: 2015-07-31 07:12 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-22 11:45:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to correct the buffer overflows (2.82 KB, patch)
2013-08-04 05:44 EDT, Pedro Ribeiro
no flags Details | Diff
The proper patch that fixes the issue (1.47 KB, patch)
2013-08-05 14:00 EDT, Pedro Ribeiro
no flags Details | Diff
Yet another version of the patch (1.81 KB, patch)
2013-08-06 07:40 EDT, Pedro Ribeiro
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 718682 None None None Never

  None (edit)
Description Pedro Ribeiro 2013-08-04 05:44:38 EDT
Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib@gmail.com).


Version-Release number of selected component (if applicable):

Additional info:
Patch attached
Comment 2 Pedro Ribeiro 2013-08-05 14:00:07 EDT
Created attachment 782955 [details]
The proper patch that fixes the issue

Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.
Comment 4 Pedro Ribeiro 2013-08-06 07:40:15 EDT
Created attachment 783274 [details]
Yet another version of the patch

Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.
Comment 5 Vincent Danen 2013-08-22 11:20:27 EDT
Thanks for this, Pedro.  I'm going to turn this into an SRT bug.
Comment 7 Vincent Danen 2013-08-22 11:45:10 EDT
Bah, this already had a bug.

*** This bug has been marked as a duplicate of bug 992975 ***

Note You need to log in before you can comment on or make changes to this bug.