Summary: | <media-libs/lcms-2.6-r1: insufficient ICC profile version validation (CVE-2014-0459) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pacho, printing |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1087444 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Is this a regression in dev-java/icedtea*? If yes, why does the summary state "media-libs/lcms"? (In reply to Matthias Maier from comment #1) > Is this a regression in dev-java/icedtea*? If yes, why does the summary > state "media-libs/lcms"? maybe lcms is used in icedtea. Ah yes, you're completely right. There is an issue with the version parsing as indicated by an upstream commit [1]. I have pushed (a slightly modified) version of above commit, lcms-2.6-r1 contains the fix (with lcms-2.6 left vulnerable; lcms-1* unknown) Unfortunately there is already a stabilization in progress for lcms-2.6 (without -r1) wrt bug #522310 - as I was not aware of this open security bug. Therefor I leave it up to security to decide what action to take, i.e. whether to cancle the stabilization and stabilize 2.6-r1 instead. Noteworthy is the fact that upstream does not consider this issue to be security relevant [2] and debian left it open on stable [3]. I'm terribly sorry for the mess this created. :-/ [1] https://github.com/mm2/Little-CMS/commit/74ba39195a0cf87c43f46a2fabd9c2168692822d [2] https://github.com/mm2/Little-CMS/issues/29 [3] https://security-tracker.debian.org/tracker/CVE-2014-0459 *** Bug 522310 has been marked as a duplicate of this bug. *** Arches, please stabilize media-libs/lcms-2.6-r1 Target keywords: alpha amd64 arm hppa ia64 ppc64 ppc sparc x86 arm64 m68k s390 sh Stable for HPPA. amd64 stable x86 stable Stable on alpha. sparc stable arm stable ia64 stable ppc stable ppc64 stable Version 2.6.-r1 is now stabilized on all stable arches. Therefore, I remove all vulnerable versions from the tree. 10 Nov 2014; Matthias Maier <tamiko@gentoo.org> -lcms-2.3.ebuild, -lcms-2.4.ebuild, -lcms-2.5-r1.ebuild, -lcms-2.5.ebuild, -lcms-2.6.ebuild: drop vulnerable versions wrt bug #507788; drop unstable arches back to testing This issue was resolved and addressed in GLSA 201412-46 at http://security.gentoo.org/glsa/glsa-201412-46.xml by GLSA coordinator Yury German (BlueKnight). |