Bug 1021364 (CVE-2016-10165) - VUL-1: CVE-2016-10165: lcms2: heap OOB read parsing crafted ICC profile
Summary: VUL-1: CVE-2016-10165: lcms2: heap OOB read parsing crafted ICC profile
Status: RESOLVED FIXED
Alias: CVE-2016-10165
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/178990/
Whiteboard: CVSSv2:SUSE:CVE-2016-10165:4.0:(AV:N/...
Keywords: security
Depends on:
Blocks:
 
Reported: 2017-01-23 09:42 UTC by Mikhail Kasimov
Modified: 2022-06-23 06:52 UTC (History)
4 users (show)

See Also:
Found By: Community User
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-23 09:42:35 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/168
==================================================
Originally disclosed on this list in August by Ibrahim El-Sayed, but the
CVE request was unclear so I guess it got lost:

http://seclists.org/oss-sec/2016/q3/288

An out-of-bounds heap read in lcms2 ("Little Colour Management System"),
in the function Type_MLU_Read in cmstypes.c.  This could be triggered by
an untrusted image with a crafted ICC profile.

Fixed in commit:

https://github.com/mm2/Little-CMS/commit/5ca71a7b

lcms2 is fairly bundled in various OpenJDK releases, so distributions
should check carefully whether they use bundled versions, and if so,
whether those have picked up the patch.

Some more information at Red Hat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1367357
==================================================
Comment 1 Mikhail Kasimov 2017-01-23 09:43:08 UTC 
https://software.opensuse.org/package/lcms2
Comment 2 Swamp Workflow Management 2017-01-23 23:00:16 UTC 
bugbot adjusting priority
Comment 3 Peter Linnell 2017-01-24 04:56:13 UTC 
SR's 452071, 452072, 452074

Factory SR is pending.
Comment 4 Bernhard Wiedemann 2017-01-24 05:00:39 UTC 
This is an autogenerated message for OBS integration:
This bug (1021364) was mentioned in
https://build.opensuse.org/request/show/452071 42.1 / lcms2
https://build.opensuse.org/request/show/452072 42.2 / lcms2
https://build.opensuse.org/request/show/452074 42.3 / lcms2
Comment 6 Matthias Gerstner 2017-01-25 17:00:07 UTC 
CVE has been assigned:

Use CVE-2016-10165.

Reference:

http://seclists.org/oss-sec/2017/q1/197
Comment 7 Swamp Workflow Management 2017-01-31 12:09:17 UTC 
openSUSE-SU-2017:0336-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1021364
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    lcms2-2.8-3.1
Comment 8 Johannes Segitz 2018-06-01 06:36:01 UTC 
Setting to current maintainer. Please submit for this so I can merge it
with the fix for 977898. Thank you
Comment 12 Stanislav Brabec 2018-06-15 15:20:53 UTC 
Done. SLE 15 and Factory are not affected.

Note that I found incorrect names in comments and changes file. Resubmitting.
Comment 14 Swamp Workflow Management 2018-10-29 14:09:17 UTC 
SUSE-SU-2018:3545-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1021364,1026649,1026650,1108813
CVE References: CVE-2016-10165,CVE-2018-16435
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    lcms2-2.7-9.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    lcms2-2.7-9.7.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    lcms2-2.7-9.7.1
Comment 15 Wolfgang Frisch 2020-09-24 12:19:48 UTC 
Released.