** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** On Monday 30 March 2009, Jan Lieskovsky wrote: A null pointer dereference flaw was found in the LittleCMS color management system (lcms) in the way lcms performs transformation operations when creating gray input matrix shaper. Processing a malicious image file, with specially-crafted ICC profile, could lead to denial of service. CVE information: CVE-2009-0793 has been already assigned. Proposed embargo date: 2009-04-02
This is going public today. It would be preferable if we could bump to lcms 1.18 and apply the patch on top later when RedHat opens up the embargo.
Created attachment 187064 [details, diff] lcms-CVE-2009-0793.patch
This is now public. Since the patch is pretty non-intrusive, it could be applied easily. However, I contacted upstream concerning a new release timeframe.
Added and bumped to 1.18-r1. Sorry for the slow turnaround...
upstream is currently conduction regression tests on the patch. I suggest we wait until they have been completed. This bug should only allow for a DoS anyway.
CVE-2009-0793 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0793): cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted image that triggers execution of incorrect code for "transformations of monochrome profiles."
Upstream has confirmed the patch and will release it as 1.18a later.
Arches, please test and mark stable: =media-libs/lcms-1.18-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64/x86 stable
ppc64 done
ppc done
Stable for HPPA.
Stable on alpha.
arm/ia64/s390/sh/sparc stable
GLSA together with bug 260269.
GLSA 200904-19
