Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 416781 (CVE-2012-1616)

Summary: <media-gfx/argyllcms-1.4.0 icclib Use-After-Free handling error (CVE-2012-1616)
Product: Gentoo Security Reporter: Michael Harrison <n0idx80>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dilfridge, mikemol
Priority: Normal Keywords: STABLEREQ
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/48921
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Michael Harrison 2012-05-20 18:48:18 UTC 
The vulnerability is caused due to a use-after-free error when handling ICC profiles and can be exploited via a specially crafted image file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in icclib versions prior to 2.13.

Solution
Update to icclib version 2.13 bundled in Argyll Color Management System version 1.4.0.
Comment 1 Michael Harrison 2012-05-20 18:50:04 UTC 
Per Dilfridge via IRC:
May also affect ghostscript-gpl because it bundles icclib
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2012-05-20 18:59:26 UTC 
(In reply to comment #1)
> Per Dilfridge via IRC:
> May also affect ghostscript-gpl because it bundles icclib

See bug 206893 for details and progress on this. The icclib in ghostscript is quite old but may carry local fixes.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-05-20 22:41:33 UTC 
This may help as well: http://www.argyllcms.com/icc_readme.html

Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2012-05-20 22:47:42 UTC 
(In reply to comment #3)
> This may help as well: http://www.argyllcms.com/icc_readme.html
> 
> Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.

Sure, go ahead.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-05-20 22:51:49 UTC 
Great, thanks.

Arches, please test and mark stable:
=media-gfx/argyllcms-1.4.0
Target keywords : "amd64 x86"
Comment 6 Michael Weber (RETIRED) gentoo-dev 2012-05-21 02:17:41 UTC 
*** Bug 416837 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2012-05-21 20:42:08 UTC 
amd64 stable
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-21 21:45:42 UTC 
x86 stable
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2012-05-21 23:29:24 UTC 
Vulnerable argyllcms version removed from the tree.
Comment 10 Michael Harrison 2012-05-22 19:54:54 UTC 
Thanks everyone GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-18 22:29:45 UTC 
This issue was resolved and addressed in
 GLSA 201206-04 at http://security.gentoo.org/glsa/glsa-201206-04.xml
by GLSA coordinator Sean Amoss (ackle).