Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 416781 (CVE-2012-1616) - <media-gfx/argyllcms-1.4.0 icclib Use-After-Free handling error (CVE-2012-1616)
Summary: <media-gfx/argyllcms-1.4.0 icclib Use-After-Free handling error (CVE-2012-1616)
Status: RESOLVED FIXED
Alias: CVE-2012-1616
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/48921
Whiteboard: B2 [glsa]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2012-05-20 18:48 UTC by Michael Harrison
Modified: 2012-06-18 22:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-05-20 18:48:18 UTC
The vulnerability is caused due to a use-after-free error when handling ICC profiles and can be exploited via a specially crafted image file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in icclib versions prior to 2.13.

Solution
Update to icclib version 2.13 bundled in Argyll Color Management System version 1.4.0.
Comment 1 Michael Harrison 2012-05-20 18:50:04 UTC
Per Dilfridge via IRC:
May also affect ghostscript-gpl because it bundles icclib
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2012-05-20 18:59:26 UTC
(In reply to comment #1)
> Per Dilfridge via IRC:
> May also affect ghostscript-gpl because it bundles icclib

See bug 206893 for details and progress on this. The icclib in ghostscript is quite old but may carry local fixes.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-05-20 22:41:33 UTC
This may help as well: http://www.argyllcms.com/icc_readme.html

Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2012-05-20 22:47:42 UTC
(In reply to comment #3)
> This may help as well: http://www.argyllcms.com/icc_readme.html
> 
> Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.

Sure, go ahead.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-05-20 22:51:49 UTC
Great, thanks.

Arches, please test and mark stable:
=media-gfx/argyllcms-1.4.0
Target keywords : "amd64 x86"
Comment 6 Michael Weber (RETIRED) gentoo-dev 2012-05-21 02:17:41 UTC
*** Bug 416837 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2012-05-21 20:42:08 UTC
amd64 stable
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-21 21:45:42 UTC
x86 stable
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2012-05-21 23:29:24 UTC
Vulnerable argyllcms version removed from the tree.
Comment 10 Michael Harrison 2012-05-22 19:54:54 UTC
Thanks everyone GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-18 22:29:45 UTC
This issue was resolved and addressed in
 GLSA 201206-04 at http://security.gentoo.org/glsa/glsa-201206-04.xml
by GLSA coordinator Sean Amoss (ackle).