LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

lcms: multiple vulnerabilities

Package(s):lcms CVE #(s):CVE-2009-0581 CVE-2009-0723 CVE-2009-0733
Created:March 19, 2009 Updated:December 3, 2009
Description: lcms has three vulnerabilities. From the Red Hat alert:

Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in LittleCMS. An attacker could use these flaws to create a specially-crafted image file which could cause an application using LittleCMS to crash, or, possibly, execute arbitrary code when opened by a victim. (CVE-2009-0723, CVE-2009-0733)

A memory leak flaw was found in LittleCMS. An application using LittleCMS could use excessive amount of memory, and possibly crash after using all available memory, if used to open specially-crafted images. (CVE-2009-0581)

Alerts:
Mandriva MDVSA-2009:121-1 2009-12-02
Mandriva MDVSA-2009:162 2009-07-28
Mandriva MDVSA-2009:137 2009-06-20
Mandriva MDVSA-2009:121 2009-05-21
Fedora FEDORA-2009-3967 2009-04-27
Fedora FEDORA-2009-3914 2009-04-27
Debian DSA-1769-1 2009-04-11
CentOS CESA-2009:0377 2009-04-08
Red Hat RHSA-2009:0377-01 2009-04-07
Fedora FEDORA-2009-3034 2009-03-25
Debian DSA-1745-2 2009-03-25
Slackware SSA:2009-083-01 2009-03-25
Ubuntu USN-744-1 2009-03-23
SuSE SUSE-SR:2009:007 2009-03-24
Fedora FEDORA-2009-2983 2009-03-24
Fedora FEDORA-2009-2982 2009-03-24
Fedora FEDORA-2009-2903 2009-03-23
Fedora FEDORA-2009-2970 2009-03-23
Fedora FEDORA-2009-2928 2009-03-23
Fedora FEDORA-2009-2910 2009-03-23
Debian DSA-1745-1 2009-03-20
Red Hat RHSA-2009:0339-01 2009-03-19
Gentoo 200904-19 2009-04-19
(Log in to post comments)

lcms: multiple vulnerabilities

Posted Apr 3, 2009 10:11 UTC (Fri) by boudewijn (subscriber, #14185) [Link]

This patch is completely bogus: it breaks LCMS completely on all distributions that applied the patch. It turns out to be impossible to link from LWN to a message on a sourceforge mailing list, but please read what Marti Maria has to say about it.

lcms: multiple vulnerabilities

Posted Apr 3, 2009 13:37 UTC (Fri) by jake (editor, #205) [Link]

> It turns out to be impossible to link from LWN to a message on a
> sourceforge mailing list

Is this a problem with LWN? or with SourceForge? If the former, please let us know so that we can get it on the list to fix, thanks!

jake

lcms: multiple vulnerabilities

Posted Apr 3, 2009 15:08 UTC (Fri) by foom (subscriber, #14868) [Link]

Here's a link:
http://www.mail-archive.com/lcms-user@lists.sourceforge.n...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds