Date: Fri, 20 Mar 2009 18:02:40 +0000
From: Andrea Barisani <lcars@ocert.org.>
To: ocert-announce@lists.ocert.org, oss-security@lists.openwall.com,
Subject: [oCERT-2009-003] LittleCMS integer errors
Message-ID: <20090320180240.GY2863@inversepath.com.>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GPG-Key: 0x864C9B9E
X-GPG-Fingerprint: 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
X-Virus-Scanned: antivirus-gw at tyumen.ru
#2009-003 LittleCMS integer errors
Description:
LittleCMS, an open source color management engine, suffers from several
integer errors, resulting in stack based buffer overflows and various heap
errors as well as dangerous memory leaks. Decoding a specially crafted
image file will result in unexpected process termination, Denial Of
Service conditions or arbitrary code execution due to stack overflow.
LittleCMS is used by several Open Source projects including OpenJDK,
Firefox and GIMP.
Affected version:
LittleCMS <= 1.17
The following packages were identified as affected as they statically
include LittleCMS in their own packages.
OpenJDK <= 7 build b48
foo2zjs, N/A
libmng zip archives <= 01009x
Firefox <= 3.1 beta 2
Fixed version:
LittleCMS >= 1.18 beta 2
OpenJDK, N/A
foo2zjs, N/A
libmng zip archives >= 01010x
Firefox, N/A
Credit: vulnerability report received from Chris Evans <cevans [at] google
[dot] com>, Google Security Team.
CVE: CVE-2009-0723 (integer overflows), CVE-2009-0581 (memory leak),
CVE-2009-0733 (lack of upper-ground checks on size)
Timeline:
2009-02-13: vulnerability report and patch received
2009-02-16: contacted littlecms maintainer
2009-02-16: oCERT investigated for other potential affected projects
2009-02-20: maintainer provides updated patch
2009-02-20: reporter provides new patch fixing memory leak
2009-02-21: maintainer provides fixed beta version
2009-02-23: reporter confirms fixes
2009-02-24: contacted affected vendors providing combined security patch
and beta version, recommending the latter
2009-03-02: patch found to break functionality, contacted affected vendors
advising to use only beta version
2009-03-03: reporter provides additional patch based on feedback, patch
provided to vendors
2009-03-06: Debian requests embargo lift
2009-03-08: embargo lifted from 03-09 to 03-19, affected vendors notified
2009-03-20: advisory release
References:
http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html
http://scary.beasts.org/security/CESA-2009-003.html
Permalink:
http://www.ocert.org/advisories/ocert-2009-003.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lcars@ocert.org.> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
