Bugzilla Bug 264604

** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

On Monday 30 March 2009, Jan Lieskovsky wrote:
  A null pointer dereference flaw was found in the
LittleCMS color management system (lcms) in 
the way lcms performs transformation operations
when creating gray input matrix shaper. Processing
a malicious image file, with specially-crafted
ICC profile, could lead to denial of service.

CVE information: CVE-2009-0793 has been already assigned.

Proposed embargo date: 2009-04-02

This is going public today. It would be preferable if we could bump to lcms
1.18 and apply the patch on top later when RedHat opens up the embargo.

Created an attachment (id=187064) [details]
lcms-CVE-2009-0793.patch

This is now public. Since the patch is pretty non-intrusive, it could be
applied easily. However, I contacted upstream concerning a new release
timeframe.

Added and bumped to 1.18-r1.  Sorry for the slow turnaround...

upstream is currently conduction regression tests on the patch. I suggest we
wait until they have been completed. This bug should only allow for a DoS
anyway.

CVE-2009-0793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0793):
  cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in
  OpenJDK and other products, allows remote attackers to cause a denial
  of service (NULL pointer dereference and application crash) via a
  crafted image that triggers execution of incorrect code for
  "transformations of monochrome profiles."

Upstream has confirmed the patch and will release it as 1.18a later.

Arches, please test and mark stable:
=media-libs/lcms-1.18-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

amd64/x86 stable

ppc64 done

ppc done

Stable for HPPA.

Stable on alpha.

arm/ia64/s390/sh/sparc stable

GLSA together with bug 260269.

GLSA 200904-19