Bug 260269 (CVE-2009-0581)

Comment 1 Robert Buchholz (RETIRED) 2009-02-25 16:39:35 UTC

Created attachment 183152 [details]
lcms-1.18beta1.tar.gz

Comment 2 Robert Buchholz (RETIRED) 2009-02-25 16:40:28 UTC

Created attachment 183153 [details, diff]
lcms-1.17-CVE-2009-0581.patch

Comment 3 Robert Buchholz (RETIRED) 2009-02-25 16:44:32 UTC

I'm attaching you guys as you eiter touched the package in the past or are part of printing -- if anyone cares about this, please prepare an ebuild for the latest beta (distfile attached) or applying the patch, and attach it to this bug. We will do prestable testing here, do not commit anything to CVS!
For testing purposes, I can request PoCs with the researcher and forward them to you.

Comment 4 Robert Buchholz (RETIRED) 2009-02-25 18:06:13 UTC

CVE-2009-0581 - memory leak
CVE-2009-0723 - buffer overflows
CVE-2009-0733 - lack of upper-gounds check on sizes

Comment 5 Diego Elio Pettenò (RETIRED) 2009-02-25 23:25:16 UTC

I'm removing myself from CC since I only made some minimal changes to the ebuild in the past.

Just to not make this comment useless, I'll point out that I could find no duplication of lcms functions in other software as passed by the tinderbox, the chances of it going under my radar are slim.

HTH!

Comment 6 Daniel Gryniewicz (RETIRED) 2009-02-27 17:12:58 UTC

Created attachment 183389 [details]
ebuild with above patch

Here's an ebuild for lcms-1.17-r1 using the above patch.

Comment 7 Robert Buchholz (RETIRED) 2009-02-27 17:23:24 UTC

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76

Comment 8 Ferris McCormick (RETIRED) 2009-02-27 18:51:48 UTC

1)  It would be better if the ebuild used the name of the patch on the bug (lcms-1.17-CVE-2009-0581.patch) instead of lcms-1.17-bug260269.patch (assuming those are the same).

2) On sparc, I see a strange test failure:
=====================================
Testing devicelink generation.........
dE: mean=0.00689702, SD=0.00518751, max=0.0350195 [460000 tics, 0.46 sec.]
lcms: Error #12288; Noncompliant device-link profile
Testing saved linearization devicelinkmake[1]: *** [check] Error 1
make[1]: Leaving directory `/var/tmp/portage/media-libs/lcms-1.17-r1/work/lcms-1.17/testbed'
make: *** [check-recursive] Error 1
======================================
Is this a problem?  If not, this seems good on sparc.

Comment 9 Daniel Gryniewicz (RETIRED) 2009-02-27 19:52:13 UTC

Sorry, I apparently use the description rather than the name...

That test failure worries me.  It passes on 1.17, so the patch is causing it to fail (it fails on my box, as well).

Unfortunately, I don't know anything about lcms, so I cannot comment on how to fix the bug.  rbu:  Would it be better to go to upstream with this issue, or try the beta?  I'm leary of unleashing a beta directly to stable.

Unfortunately, printing is a bit defunct at the moment.

Comment 10 Ferris McCormick (RETIRED) 2009-02-27 20:18:31 UTC

Yes, all tests pass on sparc, too, with lcms-1.17

Comment 11 Jeroen Roovers (RETIRED) 2009-02-27 22:32:49 UTC

Same test failure for HPPA and 1.17 unpatched is OK.

Comment 12 Robert Buchholz (RETIRED) 2009-02-28 01:43:37 UTC

(In reply to comment #9)
> Sorry, I apparently use the description rather than the name...

My fault, I changed name and description after opening the bug. I guess Bugzilla behaves weirdly once you do that.

> Unfortunately, I don't know anything about lcms, so I cannot comment on how to
> fix the bug.  rbu:  Would it be better to go to upstream with this issue, or
> try the beta?  I'm leary of unleashing a beta directly to stable.

Mailed ocert who are coordinating the issue with upstream.

Comment 13 Robert Buchholz (RETIRED) 2009-03-07 17:31:49 UTC

Created attachment 184243 [details, diff]
lcms-1.18-beta1-additions.patch

Comment 14 Robert Buchholz (RETIRED) 2009-03-07 17:36:27 UTC

The patch included in 1.18beta1 and linked above is incomplete. Chris Evans sent in an update (on top of beta1) to the maintainer who will incorporate the patch, plus it is linked above. Considering the severity of the issue and complexity of creating a final patch, the embargo date has been pushed to March 19.

As far as we are concerned, can we get prestable testing for the "beta1" release with the additional patch? The backported patch seems a lot less clean than the snapshot we have have available.

Comment 15 Robert Buchholz (RETIRED) 2009-03-19 19:35:26 UTC

This is now public. However, we have not been able to prepare an ebuild in time and upstream's latest release is beta2.

Comment 16 Alex Legler (RETIRED) 2009-03-23 22:02:36 UTC

CVE-2009-0581 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0581):
  Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as
  used in Firefox 3.1beta, OpenJDK, and GIMP, allows context-dependent
  attackers to cause a denial of service (memory consumption and
  application crash) via a crafted image file.

CVE-2009-0723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0723):
  Multiple integer overflows in LittleCMS (aka lcms or liblcms) before
  1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow
  context-dependent attackers to execute arbitrary code via a crafted
  image file that triggers a heap-based buffer overflow.  NOTE: some of
  these details are obtained from third party information.

CVE-2009-0733 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0733):
  Multiple stack-based buffer overflows in the ReadSetOfCurves function
  in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in
  Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers
  to execute arbitrary code via a crafted image file associated with a
  large integer value for the (1) input or (2) output channel, related
  to the ReadLUT_A2B and ReadLUT_B2A functions.

Comment 17 Robert Buchholz (RETIRED) 2009-04-02 07:30:19 UTC

1.18 is out incorporating all patches linked here.

Comment 18 Tomáš Chvátal (RETIRED) 2009-04-03 17:42:44 UTC

Hi,
kde team needed lcms-1.18 so i bumped it.
I suggest you to faststable 1.18 and remove all other versions.

Howgh ;]

Comment 19 Robert Buchholz (RETIRED) 2009-04-04 12:55:59 UTC

Arches, please test and mark stable:
=media-libs/lcms-1.18
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 20 Brent Baude (RETIRED) 2009-04-04 13:52:25 UTC

ppc64 done

Comment 21 Alex Legler (RETIRED) 2009-04-04 14:45:58 UTC

amd64 done

Comment 22 Markus Meier 2009-04-04 14:57:06 UTC

x86 stable

Comment 23 Brent Baude (RETIRED) 2009-04-04 16:11:50 UTC

ppc done

Comment 24 Tobias Klausmann (RETIRED) 2009-04-05 11:11:12 UTC

Stable on alpha.

Comment 25 Friedrich Oslage (RETIRED) 2009-04-05 12:17:30 UTC

sparc stable

Comment 26 Raúl Porcel (RETIRED) 2009-04-06 13:00:41 UTC

arm/ia64/s390/sh stable

Comment 27 Jeroen Roovers (RETIRED) 2009-04-06 15:25:24 UTC

I seem to be a bit late this time. Would it be alright to stabilise 1.18-r1 instead?

Comment 28 Robert Buchholz (RETIRED) 2009-04-06 16:05:35 UTC

yes please, i was about to add arches to bug 264604 anyway.

Comment 29 Jeroen Roovers (RETIRED) 2009-04-06 16:15:55 UTC

Stable for HPPA.

Comment 30 Tobias Heinlein (RETIRED) 2009-04-11 21:09:24 UTC

Okay, does that mean we need 1.18-r1 stable on *all* arches? If yes, why didn't you (rbu) add all arches again?

Comment 31 Robert Buchholz (RETIRED) 2009-04-12 15:31:03 UTC

(In reply to comment #30)
> Okay, does that mean we need 1.18-r1 stable on *all* arches? If yes, why didn't
> you (rbu) add all arches again?

Let's discuss this on bug 264604.

Comment 32 Pierre-Yves Rofes (RETIRED) 2009-04-19 15:45:25 UTC

GLSA 200904-19