Bug 991757 - lcms: multiple buffer overflows
Summary: lcms: multiple buffer overflows
Keywords:
Status: CLOSED DUPLICATE of bug 992975
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130804,repor...
Depends On:
Blocks: 1000074
TreeView+ depends on / blocked
 
Reported: 2013-08-04 09:44 UTC by Pedro Ribeiro
Modified: 2019-06-08 19:40 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-22 15:45:10 UTC


Attachments (Terms of Use)
Patch to correct the buffer overflows (2.82 KB, patch)
2013-08-04 09:44 UTC, Pedro Ribeiro
no flags Details | Diff
The proper patch that fixes the issue (1.47 KB, patch)
2013-08-05 18:00 UTC, Pedro Ribeiro
no flags Details | Diff
Yet another version of the patch (1.81 KB, patch)
2013-08-06 11:40 UTC, Pedro Ribeiro
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Debian BTS 718682 None None None Never

Description Pedro Ribeiro 2013-08-04 09:44:38 UTC
Created attachment 782447 [details]
Patch to correct the buffer overflows

Description of problem:

I have found three (lame) buffer overflows in lcms-1.19. The problem lies in the use of dangerous functions like scanf and sprintf to handle user input.

I have contacted the Little CMS developer and his answer was that "people concerned about security should update to Little CMS v2". To be honest I think it's a reasonable answer since he has stopped supporting lcms-1 in 2009. However this appears to be a package that is still widely in use in several distributions, and included in other software as a library.

I am attaching patches here to address the issue. These have been compile tested but I did not do any test beyond that. Please note that I am sending this via a mobile device and the patches might be mangled (hopefully not).

If you have any questions please contact me back. If you do issue an advisory, please credit Pedro Ribeiro (pedrib@gmail.com).

Regards, 
Pedro

Version-Release number of selected component (if applicable):
1.19

Additional info:
Patch attached

Comment 2 Pedro Ribeiro 2013-08-05 18:00:07 UTC
Created attachment 782955 [details]
The proper patch that fixes the issue

Please note that I have committed a stupid and lame mistake and actually introduced a format string vulnerability with the previous patch. This is the correct patch and should fix the issue, but please review it anyway.

Comment 4 Pedro Ribeiro 2013-08-06 11:40:15 UTC
Created attachment 783274 [details]
Yet another version of the patch

Yet another version of the patch, as per the comments in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682#40.

Comment 5 Vincent Danen 2013-08-22 15:20:27 UTC
Thanks for this, Pedro.  I'm going to turn this into an SRT bug.

Comment 7 Vincent Danen 2013-08-22 15:45:10 UTC
Bah, this already had a bug.

*** This bug has been marked as a duplicate of bug 992975 ***


Note You need to log in before you can comment on or make changes to this bug.