The vulnerability is caused due to a use-after-free error when handling ICC profiles and can be exploited via a specially crafted image file.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in icclib versions prior to 2.13.
Update to icclib version 2.13 bundled in Argyll Color Management System version 1.4.0.
Per Dilfridge via IRC:
May also affect ghostscript-gpl because it bundles icclib
(In reply to comment #1)
> Per Dilfridge via IRC:
> May also affect ghostscript-gpl because it bundles icclib
See bug 206893 for details and progress on this. The icclib in ghostscript is quite old but may carry local fixes.
This may help as well: http://www.argyllcms.com/icc_readme.html
Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.
(In reply to comment #3)
> This may help as well: http://www.argyllcms.com/icc_readme.html
> Andreas, are we ok to stabilize =media-gfx/argyllcms-1.4.0? Tnx.
Sure, go ahead.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
*** Bug 416837 has been marked as a duplicate of this bug. ***
Vulnerable argyllcms version removed from the tree.
Thanks everyone GLSA request filed.
This issue was resolved and addressed in
GLSA 201206-04 at http://security.gentoo.org/glsa/glsa-201206-04.xml
by GLSA coordinator Sean Amoss (ackle).