From ${URL} : Three (two in ColorSpace conversion calculator, one in TIFF compare utility) stack-based buffer overflow flaws were found in the way icctrans / tiffdiff tools of LittleCMS, the color management system, used to process certain ICC color profile / TIFF image format files. Remote attacker could provide a specially-crafted ICC color profile / TIFF image format files that, when opened in color space conversion calculator (icctrans) or TIFF compare utility (tiffdiff) of LittleCMS would lead to that utility crash. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682 [2] http://www.openwall.com/lists/oss-security/2013/08/05/2 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
*lcms-1.19-r3 (23 Oct 2014) 23 Oct 2014; Matthias Maier <tamiko@gentoo.org> +files/lcms-1.19-cve-2013-4276.patch, +lcms-1.19-r3.ebuild: fix CVE-2013-4276 wrt bug #479874 There is already a STABLEREQ bug report for lcms:0 (vulnerable version 1.9-r2) in bug #525262 In order to drop all vulnerable versions lcms-1.19 lcms-1.19-r1 lcms-1.19-r2 version 1.19-r3 has to be stabilized for the following arches: alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86
*** Bug 525262 has been marked as a duplicate of this bug. ***
Stable for HPPA.
lcms:0 will be removed from the tree. After talk with the maintainer we don't need to stabilize here.
This issue was resolved and addressed in GLSA 201412-46 at http://security.gentoo.org/glsa/glsa-201412-46.xml by GLSA coordinator Yury German (BlueKnight).
How can this be resolved with insecure versions of 1.9 still in the tree, and with a critical package (app-emulation/emul-linux-x86-baselibs) actually depending on one of the insecure versions?
(In reply to throw_away_2002 from comment #6) > How can this be resolved with insecure versions of 1.9 still in the tree, Masked for removal 27 May 2015; Matthias Maier <tamiko@gentoo.org> package.mask: mask lcms:0 for removal, bug #526642
