Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Nov 2008 17:12:40 +0100
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Cc: coley@...re.org
Subject: CVE request: lcms (old issues)

Hi!

While digging around CVE-2007-2741, I found out that there are 2 other
issues that were quite silently fixed in the Little CMS updates tagged
as fixing CVE-2007-2741 as done by various vendors.

The issues are:

The ReadEmbeddedTextTag in src/cmsio1.c did not properly check amount
of data read from the input file to the buffer provided as one of it's
arguments.  Value read from the file was used as an upper bound without
any validation.

This issue was fixed upstream in 1.16.  Attached is the patch against
1.15 lcms packages as was used in SuSE security updates (original name
of the patch as used in SuSE and Mandriva SRPMS is
lcms-CVE-2007-2741.patch, but it is not a fix for CVE-2007-2741,
CVE-2007-2741 was fixed upstream in 1.15 and the correct patch for it
is named named liblcms-<version>-icc.diff in pre-1.15 SuSE / Mandriva
SRPMS).

Upstream CVS commit:
http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsio1.c?r1=1.33&r2=1.34


Another issue is unsigned -> signed integer cast issue in cmsAllocGamma
in src/cmsgamma.c.  The argument to this function - nEntries - may be
read from the file and not validated before cmsAllocGamma is called.
As nEntries in cmsAllocGamma is signed integer, it's value may possibly
be negative and can result in an insufficient memory allocation.

This issue was fixed upstream in 1.17.  Again, attached is the patch
extracted from SuSE security updates for 1.15.  Original name was
lcms-gamma-overflow.patch.

Upstream CVS commit:
http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsgamma.c?view=diff&r1=1.16&r2=1.17


As both of these fixes date back to 2007, and were used in the security
advisory in 2007, they may need 2007 CVE id.  Steven, can you get us
some?  Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team

View attachment "lcms-1.15-ReadEmbeddedTextTag-sizechecks.diff" of type "text/x-patch" (5529 bytes)

View attachment "lcms-1.15-cmsAllocGamma-overflow.diff" of type "text/x-patch" (563 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.