The vulnerability is caused due to a use-after-free error when handling ICC profiles and can be exploited via a specially crafted image file. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in icclib versions prior to 2.13. Solution Update to icclib version 2.13 bundled in Argyll Color Management System version 1.4.0.
Per Dilfridge via IRC: May also affect ghostscript-gpl because it bundles icclib
(In reply to comment #1) > Per Dilfridge via IRC: > May also affect ghostscript-gpl because it bundles icclib See bug 206893 for details and progress on this. The icclib in ghostscript is quite old but may carry local fixes.
This may help as well: http://www.argyllcms.com/icc_readme.html Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.
(In reply to comment #3) > This may help as well: http://www.argyllcms.com/icc_readme.html > > Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx. Sure, go ahead.
Great, thanks. Arches, please test and mark stable: =media-gfx/argyllcms-1.4.0 Target keywords : "amd64 x86"
*** Bug 416837 has been marked as a duplicate of this bug. ***
amd64 stable
x86 stable
Vulnerable argyllcms version removed from the tree.
Thanks everyone GLSA request filed.
This issue was resolved and addressed in GLSA 201206-04 at http://security.gentoo.org/glsa/glsa-201206-04.xml by GLSA coordinator Sean Amoss (ackle).