| Summary: | <media-libs/lcms-2.6-r1: insufficient ICC profile version validation (CVE-2014-0459) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | pacho, printing |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1087444 | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
Is this a regression in dev-java/icedtea*? If yes, why does the summary state "media-libs/lcms"? (In reply to Matthias Maier from comment #1) > Is this a regression in dev-java/icedtea*? If yes, why does the summary > state "media-libs/lcms"? maybe lcms is used in icedtea. Ah yes, you're completely right. There is an issue with the version parsing as indicated by an upstream commit [1]. I have pushed (a slightly modified) version of above commit, lcms-2.6-r1 contains the fix (with lcms-2.6 left vulnerable; lcms-1* unknown) Unfortunately there is already a stabilization in progress for lcms-2.6 (without -r1) wrt bug #522310 - as I was not aware of this open security bug. Therefor I leave it up to security to decide what action to take, i.e. whether to cancle the stabilization and stabilize 2.6-r1 instead. Noteworthy is the fact that upstream does not consider this issue to be security relevant [2] and debian left it open on stable [3]. I'm terribly sorry for the mess this created. :-/ [1] https://github.com/mm2/Little-CMS/commit/74ba39195a0cf87c43f46a2fabd9c2168692822d [2] https://github.com/mm2/Little-CMS/issues/29 [3] https://security-tracker.debian.org/tracker/CVE-2014-0459 *** Bug 522310 has been marked as a duplicate of this bug. *** Arches, please stabilize media-libs/lcms-2.6-r1 Target keywords: alpha amd64 arm hppa ia64 ppc64 ppc sparc x86 arm64 m68k s390 sh Stable for HPPA. amd64 stable x86 stable Stable on alpha. sparc stable arm stable ia64 stable ppc stable ppc64 stable Version 2.6.-r1 is now stabilized on all stable arches. Therefore, I remove all vulnerable versions from the tree. 10 Nov 2014; Matthias Maier <tamiko@gentoo.org> -lcms-2.3.ebuild, -lcms-2.4.ebuild, -lcms-2.5-r1.ebuild, -lcms-2.5.ebuild, -lcms-2.6.ebuild: drop vulnerable versions wrt bug #507788; drop unstable arches back to testing This issue was resolved and addressed in GLSA 201412-46 at http://security.gentoo.org/glsa/glsa-201412-46.xml by GLSA coordinator Yury German (BlueKnight). |
From ${URL} : It was discovered that ICC profiles were not parsed correctly. An untrusted Java application or applet could possibly use this flaw to cause a denial of service. Fixed now in Oracle Java SE 7u55 and 8u5 via Oracle Critical Patch Update Advisory - April 2014. Fixed in IcedTea7 2.4.7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html External References: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.