521513 – (CVE-2009-0793) VUL-1: CVE-2009-0793: lcms: LittleCMS null pointer dereference

Bug 521513 (CVE-2009-0793) - VUL-1: CVE-2009-0793: lcms: LittleCMS null pointer dereference

Summary: VUL-1: CVE-2009-0793: lcms: LittleCMS null pointer dereference

Status:	RESOLVED FIXED

Alias:	CVE-2009-0793

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2009-08-10
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	.
Keywords:

Depends on:	490610
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2009-07-13 12:32 UTC by Ludwig Nussel
Modified:	2017-07-03 07:33 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2009-07-13 12:32:48 UTC

Your friendly security team received the following report.
Please respond ASAP.
lcms might be affected by bug #490610,
please refer to the discussion there for details.

Comment 1 Stanislav Brabec 2009-07-14 16:27:39 UTC

lcms in Factory already contains incorrect fix of this bug and needs fix.

All other products have no fix yet and need update as well.

Comment 2 Stanislav Brabec 2009-07-14 17:05:28 UTC

Packages lcms and liblcms submitted to all procucts except SLES8 (-SLEC, also affected) using the fixed fix from bug 490610 comment 9.

For SLED9 submitted once for SP3, once for SLES9/SP4. Both packages are exactly the same. Process them as you need.

Comment 3 Ludwig Nussel 2009-07-15 08:26:28 UTC

Hmm, this is just a NULL deref. Let's put this on planned updates and release later. Thanks anyways!

Comment 4 Ruediger Oertel 2009-07-31 12:31:01 UTC

package submitted for SLES10-SP2. take in for SLES10-SP3 ?

Comment 5 Marcus Meissner 2009-07-31 13:50:24 UTC

you can take it in, yes.

Comment 6 Ruediger Oertel 2009-08-31 15:23:23 UTC

patchinfos coming ?

Comment 7 Thomas Biege 2009-09-01 14:22:05 UTC

(In reply to comment #6)
> patchinfos coming ?

It was moved to the list of "planned updates".

Comment 10 Matthias Weckbecker 2011-10-17 11:16:56 UTC

For the sake of completeness: CVE-2009-0793 is used for this.

Comment 11 Ludwig Nussel 2011-10-18 11:55:14 UTC

fix went into sle10sp3 at some point so only sle9 left for which it is too minor.