435696 – <media-libs/icclib-2.14: code execution vulnerability (CVE-2012-4405)

Bug 435696 - <media-libs/icclib-2.14: code execution vulnerability (CVE-2012-4405)

Summary: <media-libs/icclib-2.14: code execution vulnerability (CVE-2012-4405)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-09-20 23:13 UTC by GLSAMaker/CVETool Bot
Modified:	2012-10-02 06:42 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2012-09-20 23:13:59 UTC

CVE-2012-4405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4405):
  Multiple integer underflows in the icmLut_allocate function in International
  Color Consortium (ICC) Format library (icclib), as used in Ghostscript 9.06
  and Argyll Color Management System, allow remote attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via a crafted (1)
  PostScript or (2) PDF file with embedded images, which triggers a heap-based
  buffer overflow.  NOTE: this issue is also described as an array index
  error.


There is a patch available in the Red Hat bug:

https://bugzilla.redhat.com/attachment.cgi?id=609986

Comment 1 Tim Harder gentoo-dev

2012-09-24 02:36:41 UTC

Fixed in 2.14 in CVS and 2.13 has been removed from the tree.

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2012-10-02 06:42:37 UTC

Thanks, Tim; closing noglsa.