Bugzilla – Bug 977898
VUL-0: CVE-2013-7455: lcms2: double free on error recovering (VU#369800)
Last modified: 2024-05-07 14:38:17 UTC
bugbot adjusting priority
Via CERT: Hello folks, Just a follow up on the last email notification about lcms2. First, the proposed disclosure date for our vulnerability note is indeed on Wednesday, MAY 4th, instead of March. We have received a CVE identifier for this vulnerability: CVE-2013-7455 For the record, regarding CVE and IDs for issues dislosed in prior years, from MITRE: >The year portion of a CVE ID should reflect when the existence of the >issue, as a security vulnerability, first became public. Here, the >commit message used the term "double free" and this is typically >recognized as a type of error that may be exploitable. Thus, a >CVE-2013-#### ID is preferable. Finally, this email has a wide recipient list. Just because your organization is receiving this email, this does not necessarily mean that we have evidence that your organization has a product that is affected by this vulnerability. We are simply notifying organizations that may be affected. If you have reasons why your organization is or is not affected, please let us know and we can include this information in the vulnerability note. Surely this is preaching to the choir, but as with any library, ways that an application can be affected include: 1) The library is installed system-wide and other applications use this library. The fix would be deployed via updating the system-wide library. A good number of apps appear to use lcms2 in this way. 2) The library is statically included in the application. We've seen a small number of apps, such as openjdk, openjpeg, and ghostscript use lcms2 in this way. We haven't seen any current app that uses this method for utilizing lcms2 provide a vulnerable version of lcms2. But it's not out of the realm of possibility. Once again, the patch is here: <https://github.com/mm2/Little-CMS/commit/fefaaa43c382eee632ea3ad0cfa915335140e1db#diff-189a94 +f0a7a47efdd43f5567e27a973b> , and unless we hear some compelling reason to delay, we plan to publish our vulnerability note on Wednesday, May 4th. Thank you, Will Dormann
is public now.
Please submit for this. Thank you.
Not sure this applies anymore. This applies to lcms2 2.5 release. Leap 42.2 had 2.7. 2.8 is in Leap 42.3.
(In reply to P Linnell from comment #5) We have this in SUSE:SLE-12:Update and SUSE:SLE-11-SP3:Update
ping. Please submit
Assigning to SLE maintainer, please have a look
Vulnerable versions are 2.5 and older. We have no vulnerable version in openSUSE. In SLE, we have vulnerable version in SUSE:SLE-12:Update (GA, and SP1, but not in SP2 nor SP3) and SUSE:SLE-11-SP3:Update.
SUSE:SLE-12:Update: https://build.suse.de/request/show/165948 SUSE:SLE-11-SP3:Update: https://build.suse.de/request/show/165949
Should be VU#369800 mentioned in the changes?
All done, closing.