Fedora 9: 2009-3031 Critical: icclib Integer Overflow Code Execution

The Argyll color management system supports accurate ICC profile creation for

scanners, CMYK printers, film recorders and calibration and profiling of

displays.

Spectral sample data is supported, allowing a selection of illuminants observer

types, and paper fluorescent whitener additive compensation. Profiles can also

incorporate source specific gamut mappings for perceptual and saturation

intents. Gamut mapping and profile linking uses the CIECAM02 appearance model,

a unique gamut mapping algorithm, and a wide selection of rendering intents. It

also includes code for the fastest portable 8 bit raster color conversion

engine available anywhere, as well as support for fast, fully accurate 16 bit

conversion. Device color gamuts can also be viewed and compared using a VRML

viewer.

Multiple integer overflows were found in the International Color Consortium

Format Library (icclib). An attacker could use this flaw to potentially execute

arbitrary code by requesting to translate a specially- crafted image file

created on one device into another's device native color space via a device

file.

* Mon Mar 23 2009 Jon Ciesla - 1.0.3-3

- Patch for ICC library CVE-2009-{0583, 0584} by Tim Waugh.

* Mon Feb 23 2009 Fedora Release Engineering - 1.0.3-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Wed Sep 3 2008 Nicolas Mailhot

- 1.0.3-1

⌨ Bugfix release

* Mon Sep 1 2008 Nicolas Mailhot

- 1.0.2-1

ᾢ Bugfix release

* Sun Jul 27 2008 Nicolas Mailhot

- 1.0.1-1

☻ Lots of workarounds dropped — Argyll continues progressing towards “normal

package” state

☺ No more jam hell ☡, autotooling patch by Alastair M. Robinson ♥♥♥

♿ New workaround added for private libusb check ⚔ We build againt system

libusb, and will fix ⚕ any problem people care to report

⁜ Re-applied some patches still not merged upstream, including the legal ⚖ one

⚙ It builds, what can go wrong⁉

⁂ Changed Huey policy file. Huey users, please test

[ 1 ] Bug #487742 - CVE-2009-0583 ghostscript: Multiple integer overflows in the International Color Consortium Format Library

https://bugzilla.redhat.com/show_bug.cgi?id=487742

[ 2 ] Bug #487744 - CVE-2009-0584 ghostscript: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library

https://bugzilla.redhat.com/show_bug.cgi?id=487744

su -c 'yum update argyllcms' at the command line.

For more information, refer to "Managing Software with yum",

available at .

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

Fedora-package-announce mailing list

Fedora-package-announce@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/