Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260269 (CVE-2009-0581) - <media-libs/lcms-1.18 integer overflows (CVE-2009-{0581,0723,0733})
Summary: <media-libs/lcms-1.18 integer overflows (CVE-2009-{0581,0723,0733})
Status: RESOLVED FIXED
Alias: CVE-2009-0581
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: 221487
  Show dependency tree
 
Reported: 2009-02-25 16:38 UTC by Robert Buchholz (RETIRED)
Modified: 2009-04-19 15:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
lcms-1.18beta1.tar.gz (lcms-1.18beta1.tar.gz,893.84 KB, application/octet-stream)
2009-02-25 16:39 UTC, Robert Buchholz (RETIRED)
no flags Details
lcms-1.17-CVE-2009-0581.patch (lcms-1.17-CVE-2009-0581.patch,12.83 KB, patch)
2009-02-25 16:40 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
ebuild with above patch (lcms-1.17-r1.ebuild,1.53 KB, text/plain)
2009-02-27 17:12 UTC, Daniel Gryniewicz (RETIRED)
no flags Details
lcms-1.18-beta1-additions.patch (lcms-1.18-beta1-additions.patch,1.68 KB, patch)
2009-03-07 17:31 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:38:51 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

LittleCMS, an open source color management engine, suffers from several
integer overflows resulting in stack based buffer overflows, various heap
errors and memory leaks. Decoding a specially crafted image file will
result in unexpected process termination, Denial Of Service conditions or
arbitrary code execution due to stack overflow.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:39:35 UTC
Created attachment 183152 [details]
lcms-1.18beta1.tar.gz
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:40:28 UTC
Created attachment 183153 [details, diff]
lcms-1.17-CVE-2009-0581.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 16:44:32 UTC
I'm attaching you guys as you eiter touched the package in the past or are part of printing -- if anyone cares about this, please prepare an ebuild for the latest beta (distfile attached) or applying the patch, and attach it to this bug. We will do prestable testing here, do not commit anything to CVS!
For testing purposes, I can request PoCs with the researcher and forward them to you.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-02-25 18:06:13 UTC
CVE-2009-0581 - memory leak
CVE-2009-0723 - buffer overflows
CVE-2009-0733 - lack of upper-gounds check on sizes
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-02-25 23:25:16 UTC
I'm removing myself from CC since I only made some minimal changes to the ebuild in the past.

Just to not make this comment useless, I'll point out that I could find no duplication of lcms functions in other software as passed by the tinderbox, the chances of it going under my radar are slim.

HTH!
Comment 6 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-02-27 17:12:58 UTC
Created attachment 183389 [details]
ebuild with above patch

Here's an ebuild for lcms-1.17-r1 using the above patch.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-02-27 17:23:24 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2009-02-27 18:51:48 UTC
1)  It would be better if the ebuild used the name of the patch on the bug (lcms-1.17-CVE-2009-0581.patch) instead of lcms-1.17-bug260269.patch (assuming those are the same).

2) On sparc, I see a strange test failure:
=====================================
Testing devicelink generation.........
dE: mean=0.00689702, SD=0.00518751, max=0.0350195 [460000 tics, 0.46 sec.]
lcms: Error #12288; Noncompliant device-link profile
Testing saved linearization devicelinkmake[1]: *** [check] Error 1
make[1]: Leaving directory `/var/tmp/portage/media-libs/lcms-1.17-r1/work/lcms-1.17/testbed'
make: *** [check-recursive] Error 1
======================================
Is this a problem?  If not, this seems good on sparc.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-02-27 19:52:13 UTC
Sorry, I apparently use the description rather than the name...

That test failure worries me.  It passes on 1.17, so the patch is causing it to fail (it fails on my box, as well).

Unfortunately, I don't know anything about lcms, so I cannot comment on how to fix the bug.  rbu:  Would it be better to go to upstream with this issue, or try the beta?  I'm leary of unleashing a beta directly to stable.

Unfortunately, printing is a bit defunct at the moment.
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2009-02-27 20:18:31 UTC
Yes, all tests pass on sparc, too, with lcms-1.17
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-02-27 22:32:49 UTC
Same test failure for HPPA and 1.17 unpatched is OK.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-02-28 01:43:37 UTC
(In reply to comment #9)
> Sorry, I apparently use the description rather than the name...

My fault, I changed name and description after opening the bug. I guess Bugzilla behaves weirdly once you do that.

> Unfortunately, I don't know anything about lcms, so I cannot comment on how to
> fix the bug.  rbu:  Would it be better to go to upstream with this issue, or
> try the beta?  I'm leary of unleashing a beta directly to stable.

Mailed ocert who are coordinating the issue with upstream.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:31:49 UTC
Created attachment 184243 [details, diff]
lcms-1.18-beta1-additions.patch
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 17:36:27 UTC
The patch included in 1.18beta1 and linked above is incomplete. Chris Evans sent in an update (on top of beta1) to the maintainer who will incorporate the patch, plus it is linked above. Considering the severity of the issue and complexity of creating a final patch, the embargo date has been pushed to March 19.

As far as we are concerned, can we get prestable testing for the "beta1" release with the additional patch? The backported patch seems a lot less clean than the snapshot we have have available.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 19:35:26 UTC
This is now public. However, we have not been able to prepare an ebuild in time and upstream's latest release is beta2.
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 22:02:36 UTC
CVE-2009-0581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0581):
  Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as
  used in Firefox 3.1beta, OpenJDK, and GIMP, allows context-dependent
  attackers to cause a denial of service (memory consumption and
  application crash) via a crafted image file.

CVE-2009-0723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0723):
  Multiple integer overflows in LittleCMS (aka lcms or liblcms) before
  1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow
  context-dependent attackers to execute arbitrary code via a crafted
  image file that triggers a heap-based buffer overflow.  NOTE: some of
  these details are obtained from third party information.

CVE-2009-0733 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0733):
  Multiple stack-based buffer overflows in the ReadSetOfCurves function
  in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in
  Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers
  to execute arbitrary code via a crafted image file associated with a
  large integer value for the (1) input or (2) output channel, related
  to the ReadLUT_A2B and ReadLUT_B2A functions.

Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 07:30:19 UTC
1.18 is out incorporating all patches linked here.
Comment 18 Tomáš Chvátal (RETIRED) gentoo-dev 2009-04-03 17:42:44 UTC
Hi,
kde team needed lcms-1.18 so i bumped it.
I suggest you to faststable 1.18 and remove all other versions.

Howgh ;]
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2009-04-04 12:55:59 UTC
Arches, please test and mark stable:
=media-libs/lcms-1.18
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 20 Brent Baude (RETIRED) gentoo-dev 2009-04-04 13:52:25 UTC
ppc64 done
Comment 21 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-04 14:45:58 UTC
amd64 done
Comment 22 Markus Meier gentoo-dev 2009-04-04 14:57:06 UTC
x86 stable
Comment 23 Brent Baude (RETIRED) gentoo-dev 2009-04-04 16:11:50 UTC
ppc done
Comment 24 Tobias Klausmann (RETIRED) gentoo-dev 2009-04-05 11:11:12 UTC
Stable on alpha.
Comment 25 Friedrich Oslage (RETIRED) gentoo-dev 2009-04-05 12:17:30 UTC
sparc stable
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2009-04-06 13:00:41 UTC
arm/ia64/s390/sh stable
Comment 27 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-06 15:25:24 UTC
I seem to be a bit late this time. Would it be alright to stabilise 1.18-r1 instead?
Comment 28 Robert Buchholz (RETIRED) gentoo-dev 2009-04-06 16:05:35 UTC
yes please, i was about to add arches to bug 264604 anyway.
Comment 29 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-06 16:15:55 UTC
Stable for HPPA.
Comment 30 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-11 21:09:24 UTC
Okay, does that mean we need 1.18-r1 stable on *all* arches? If yes, why didn't you (rbu) add all arches again?
Comment 31 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 15:31:03 UTC
(In reply to comment #30)
> Okay, does that mean we need 1.18-r1 stable on *all* arches? If yes, why didn't
> you (rbu) add all arches again?

Let's discuss this on bug 264604.
Comment 32 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-19 15:45:25 UTC
GLSA 200904-19