Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 479874 (CVE-2013-4276)

Summary: media-libs/lcms: Stack-based buffer overflows in ColorSpace conversion calculator and TIFF compare utility (CVE-2013-4276)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=992975
Whiteboard: A2 [glsa mask]
Package list:
Runtime testing required: ---
Bug Depends on: 526642    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-08-05 20:33:52 UTC
From ${URL} :

Three (two in ColorSpace conversion calculator, one in TIFF compare utility) stack-based buffer 
overflow flaws were found in the way icctrans / tiffdiff tools of LittleCMS, the color management 
system, used to process certain ICC color profile / TIFF image format files. Remote attacker could 
provide a specially-crafted ICC color profile / TIFF image format files that, when opened in color 
space conversion calculator (icctrans) or TIFF compare utility (tiffdiff) of LittleCMS would lead 
to that utility crash.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682
[2] http://www.openwall.com/lists/oss-security/2013/08/05/2


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthias Maier gentoo-dev 2014-10-23 19:36:19 UTC
*lcms-1.19-r3 (23 Oct 2014)

  23 Oct 2014; Matthias Maier <tamiko@gentoo.org>
  +files/lcms-1.19-cve-2013-4276.patch, +lcms-1.19-r3.ebuild:
  fix CVE-2013-4276 wrt bug #479874


There is already a STABLEREQ bug report for lcms:0 (vulnerable version 1.9-r2) in bug #525262
	
In order to drop all vulnerable versions

  lcms-1.19 lcms-1.19-r1 lcms-1.19-r2

version 1.19-r3 has to be stabilized for the following arches:

  alpha
  amd64
  arm
  arm64
  hppa
  ia64
  m68k
  ppc
  ppc64
  s390
  sh
  sparc
  x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-23 20:49:34 UTC
*** Bug 525262 has been marked as a duplicate of this bug. ***
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-23 20:54:09 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-27 14:48:09 UTC
lcms:0 will be removed from the tree. After talk with the maintainer we don't need to stabilize here.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-03-03 14:20:55 UTC
This issue was resolved and addressed in
 GLSA 201412-46 at http://security.gentoo.org/glsa/glsa-201412-46.xml
by GLSA coordinator Yury German (BlueKnight).
Comment 6 ta2002 2015-03-06 13:08:16 UTC
How can this be resolved with insecure versions of 1.9 still in the tree, and with a critical package (app-emulation/emul-linux-x86-baselibs) actually depending on one of the insecure versions?
Comment 7 Matthias Maier gentoo-dev 2015-05-27 20:56:32 UTC
(In reply to throw_away_2002 from comment #6)
> How can this be resolved with insecure versions of 1.9 still in the tree,

Masked for removal

  27 May 2015; Matthias Maier <tamiko@gentoo.org> package.mask:
  mask lcms:0 for removal, bug #526642