Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628478 - <media-libs/lcms-2.9: Heap-buffer-overflow in TetrahedralInterpFloat
Summary: <media-libs/lcms-2.9: Heap-buffer-overflow in TetrahedralInterpFloat
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-21 07:23 UTC by Agostino Sarubbo
Modified: 2018-11-25 04:08 UTC (History)
1 user (show)

See Also:
Package list:
=media-libs/lcms-2.9
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-21 07:23:12 UTC
OSS-Fuzz is a Continuous Fuzzing for Open Source Software. See $URL for more details about the issue.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 2 Tim Harder gentoo-dev 2017-11-19 02:52:25 UTC
Should be fixed in 2.9 in the tree, feel free to start stabilization.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-19 03:59:11 UTC
@Arches please test and mark stable.

Thank you
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-19 03:59:55 UTC
(In reply to Christopher Díaz Riveros from comment #3)
> @Arches please test and mark stable.
> 
> Thank you
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-19 18:25:13 UTC
hppa/ppc/ppc64 stable

Single Multilocalized test fails on BE arches. Reported upstream as: https://github.com/mm2/Little-CMS/pull/142
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-19 19:22:17 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-11-19 19:46:38 UTC
arm stable
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-11-20 13:56:58 UTC
Stable on amd64
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-20 22:09:13 UTC
ia64 stable
Comment 10 Rolf Eike Beer archtester 2017-11-24 16:35:10 UTC
Since bug 638192 seems to affect all bigendian archs: sparc fine.
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-25 18:54:25 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-30 20:21:25 UTC
Stable on alpha.
Comment 13 D'juan McDonald (domhnall) 2018-01-05 03:23:35 UTC
@security, please add bug ID to CVETool, thank you.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 14 Mart Raudsepp gentoo-dev 2018-03-03 12:32:34 UTC
arm64 stable
Comment 15 Larry the Git Cow gentoo-dev 2018-09-18 18:25:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=139bfc57747c094af6dc04e4485e433dd56acbde

commit 139bfc57747c094af6dc04e4485e433dd56acbde
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-09-18 15:41:14 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-09-18 18:25:03 +0000

    media-libs/lcms: Cleanup vulnerable
    
    Bug: https://bugs.gentoo.org/628478
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-libs/lcms/Manifest                           |  1 -
 .../lcms/files/lcms-2.8-CVE-2016-10165.patch       | 22 ----------
 media-libs/lcms/lcms-2.8-r1.ebuild                 | 46 -------------------
 media-libs/lcms/lcms-2.8-r2.ebuild                 | 51 ----------------------
 4 files changed, 120 deletions(-)
Comment 16 Andreas Sturmlechner gentoo-dev 2018-09-30 16:16:59 UTC
ping sec.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 04:08:03 UTC
Tree is clean