Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20081128171240.02a1c350@redhat.com>
Date: Fri, 28 Nov 2008 17:12:40 +0100
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Cc: coley@...re.org
Subject: CVE request: lcms (old issues)

Hi!

While digging around CVE-2007-2741, I found out that there are 2 other
issues that were quite silently fixed in the Little CMS updates tagged
as fixing CVE-2007-2741 as done by various vendors.

The issues are:

The ReadEmbeddedTextTag in src/cmsio1.c did not properly check amount
of data read from the input file to the buffer provided as one of it's
arguments.  Value read from the file was used as an upper bound without
any validation.

This issue was fixed upstream in 1.16.  Attached is the patch against
1.15 lcms packages as was used in SuSE security updates (original name
of the patch as used in SuSE and Mandriva SRPMS is
lcms-CVE-2007-2741.patch, but it is not a fix for CVE-2007-2741,
CVE-2007-2741 was fixed upstream in 1.15 and the correct patch for it
is named named liblcms-<version>-icc.diff in pre-1.15 SuSE / Mandriva
SRPMS).

Upstream CVS commit:
http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsio1.c?r1=1.33&r2=1.34


Another issue is unsigned -> signed integer cast issue in cmsAllocGamma
in src/cmsgamma.c.  The argument to this function - nEntries - may be
read from the file and not validated before cmsAllocGamma is called.
As nEntries in cmsAllocGamma is signed integer, it's value may possibly
be negative and can result in an insufficient memory allocation.

This issue was fixed upstream in 1.17.  Again, attached is the patch
extracted from SuSE security updates for 1.15.  Original name was
lcms-gamma-overflow.patch.

Upstream CVS commit:
http://lcms.cvs.sourceforge.net/viewvc/lcms/lcms/src/cmsgamma.c?view=diff&r1=1.16&r2=1.17


As both of these fixes date back to 2007, and were used in the security
advisory in 2007, they may need 2007 CVE id.  Steven, can you get us
some?  Thank you!

-- 
Tomas Hoger / Red Hat Security Response Team

View attachment "lcms-1.15-ReadEmbeddedTextTag-sizechecks.diff" of type "text/x-patch" (5529 bytes)

View attachment "lcms-1.15-cmsAllocGamma-overflow.diff" of type "text/x-patch" (563 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.