Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264604 (CVE-2009-0793) - <media-libs/lcms-1.18-r1 null pointer dereference (CVE-2009-0793)
Summary: <media-libs/lcms-1.18-r1 null pointer dereference (CVE-2009-0793)
Alias: CVE-2009-0793
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2009-04-02 10:53 UTC by Robert Buchholz (RETIRED)
Modified: 2009-04-19 15:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

lcms-CVE-2009-0793.patch (lcms-CVE-2009-0793.patch,741 bytes, patch)
2009-04-02 10:55 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:53:14 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

On Monday 30 March 2009, Jan Lieskovsky wrote:
  A null pointer dereference flaw was found in the
LittleCMS color management system (lcms) in 
the way lcms performs transformation operations
when creating gray input matrix shaper. Processing
a malicious image file, with specially-crafted
ICC profile, could lead to denial of service.

CVE information: CVE-2009-0793 has been already assigned.

Proposed embargo date: 2009-04-02
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:54:26 UTC
This is going public today. It would be preferable if we could bump to lcms 1.18 and apply the patch on top later when RedHat opens up the embargo.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:55:21 UTC
Created attachment 187064 [details, diff]
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-06 08:57:48 UTC
This is now public. Since the patch is pretty non-intrusive, it could be applied easily. However, I contacted upstream concerning a new release timeframe.
Comment 4 Daniel Gryniewicz (RETIRED) gentoo-dev 2009-04-06 13:41:39 UTC
Added and bumped to 1.18-r1.  Sorry for the slow turnaround...
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 15:32:16 UTC
upstream is currently conduction regression tests on the patch. I suggest we wait until they have been completed. This bug should only allow for a DoS anyway.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-15 21:51:57 UTC
CVE-2009-0793 (
  cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in
  OpenJDK and other products, allows remote attackers to cause a denial
  of service (NULL pointer dereference and application crash) via a
  crafted image that triggers execution of incorrect code for
  "transformations of monochrome profiles."

Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-04-18 11:15:31 UTC
Upstream has confirmed the patch and will release it as 1.18a later.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-04-18 11:15:59 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 9 Markus Meier gentoo-dev 2009-04-18 12:37:20 UTC
amd64/x86 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:14:40 UTC
ppc64 done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:14:47 UTC
ppc done
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-18 16:36:33 UTC
Stable for HPPA.
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2009-04-18 16:44:57 UTC
Stable on alpha.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2009-04-18 17:08:23 UTC
arm/ia64/s390/sh/sparc stable
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-18 21:13:12 UTC
GLSA together with bug 260269.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-19 15:45:32 UTC
GLSA 200904-19