Date: Fri, 28 Nov 2008 17:12:40 +0100 From: Tomas Hoger <thoger@...hat.com> To: OSS Security <oss-security@...ts.openwall.com> Cc: coley@...re.org Subject: CVE request: lcms (old issues) Hi! While digging around CVE-2007-2741, I found out that there are 2 other issues that were quite silently fixed in the Little CMS updates tagged as fixing CVE-2007-2741 as done by various vendors. The issues are: The ReadEmbeddedTextTag in src/cmsio1.c did not properly check amount of data read from the input file to the buffer provided as one of it's arguments. Value read from the file was used as an upper bound without any validation. This issue was fixed upstream in 1.16. Attached is the patch against 1.15 lcms packages as was used in SuSE security updates (original name of the patch as used in SuSE and Mandriva SRPMS is lcms-CVE-2007-2741.patch, but it is not a fix for CVE-2007-2741, CVE-2007-2741 was fixed upstream in 1.15 and the correct patch for it is named named liblcms-<version>-icc.diff in pre-1.15 SuSE / Mandriva SRPMS). Upstream CVS commit: http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsio1.c?r1=1.33&r2=1.34 Another issue is unsigned -> signed integer cast issue in cmsAllocGamma in src/cmsgamma.c. The argument to this function - nEntries - may be read from the file and not validated before cmsAllocGamma is called. As nEntries in cmsAllocGamma is signed integer, it's value may possibly be negative and can result in an insufficient memory allocation. This issue was fixed upstream in 1.17. Again, attached is the patch extracted from SuSE security updates for 1.15. Original name was lcms-gamma-overflow.patch. Upstream CVS commit: http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsgamma.c?view=diff&r1=1.16&r2=1.17 As both of these fixes date back to 2007, and were used in the security advisory in 2007, they may need 2007 CVE id. Steven, can you get us some? Thank you! -- Tomas Hoger / Red Hat Security Response Team View attachment "lcms-1.15-ReadEmbeddedTextTag-sizechecks.diff" of type "text/x-patch" (5529 bytes) View attachment "lcms-1.15-cmsAllocGamma-overflow.diff" of type "text/x-patch" (563 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.