Bugzilla – Bug 843716
VUL-1: CVE-2013-4276: lcms: stack overflows
Last modified: 2013-11-22 13:18:36 UTC
via debian bugzilla and oss-sec CVE-2013-4276 Multiple stack-based buffer overflows in LittleCMS (aka lcms or liblcms) 1.19 and earlier allow remote attackers to cause a denial of service (crash) via a crafted (1) ICC color profile to the icctrans utility or (2) TIFF image to the tiffdiff utility. References: http://comments.gmane.org/gmane.comp.security.oss.general/10781 http://bugs.debian.org/718682 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682 http://www.openwall.com/lists/oss-security/2013/08/22/3 https://bugzilla.redhat.com/show_bug.cgi?id=991757 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4276 https://bugzilla.redhat.com/show_bug.cgi?id=992975 (only in the utils apparently, might get caught by fortify source)
bugbot adjusting priority
Looking at the report, lcms2 is not affected, and only lcms (1) needs fix. lcms (1) is no more maintained by the upstream, so we have to include downstream patches also in the Factory.
openSUSE Factory: created obs request id 202174 to multimedia:libs openSUSE (12.2, 12.3): created obs maintenance request id 202175 SLE11 (SP1 Update Test): created ibs request id 28918
This is an autogenerated message for OBS integration: This bug (843716) was mentioned in https://build.opensuse.org/request/show/202285 Factory / lcms
The SWAMPID for this issue is 54679. This issue was rated as low. Please submit fixed packages until 2013-11-04. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (843716) was mentioned in https://build.opensuse.org/request/show/202799 Evergreen:11.2:Test / lcms
openSUSE-SU-2013:1547-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 843716 CVE References: CVE-2013-4276 Sources used: openSUSE 12.3 (src): lcms-1.19-11.4.1 openSUSE 12.2 (src): lcms-1.19-9.4.1
This is an autogenerated message for OBS integration: This bug (843716) was mentioned in https://build.opensuse.org/request/show/203989 Evergreen:11.2 / lcms
openSUSE-SU-2013:1560-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 843716 CVE References: CVE-2013-4276 Sources used: openSUSE 11.4 (src): lcms-1.19-5.1
Update released for: lcms, lcms-debuginfo, lcms-debugsource, liblcms-devel, liblcms-devel-32bit, liblcms1, liblcms1-32bit, python-lcms Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: lcms, lcms-debuginfo, lcms-debugsource, liblcms-devel, liblcms-devel-32bit, liblcms1, liblcms1-32bit, liblcms1-x86, python-lcms Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: lcms, lcms-debuginfo, lcms-debugsource, liblcms-devel, liblcms-devel-32bit, liblcms1, liblcms1-32bit, liblcms1-x86, python-lcms Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
fixed