Ubuntu 744-1: LittleCMS vulnerabilities

    Date23 Mar 2009
    CategoryUbuntu
    98
    Posted ByLinuxSecurity Advisories
    Chris Evans discovered that LittleCMS did not properly handle certain error conditions, resulting in a large memory leak. If a user or automated system were tricked into processing an image with malicious ICC tags, a remote attacker could cause a denial of service. (CVE-2009-0581) [More...]
    ===========================================================
    Ubuntu Security Notice USN-744-1             March 23, 2009
    lcms vulnerabilities
    CVE-2009-0581, CVE-2009-0723, CVE-2009-0733
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 6.06 LTS
    Ubuntu 7.10
    Ubuntu 8.04 LTS
    Ubuntu 8.10
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 6.06 LTS:
      liblcms1                        1.13-1ubuntu0.2
    
    Ubuntu 7.10:
      liblcms1                        1.16-5ubuntu3.2
      python-liblcms                  1.16-5ubuntu3.2
    
    Ubuntu 8.04 LTS:
      liblcms1                        1.16-7ubuntu1.2
      python-liblcms                  1.16-7ubuntu1.2
    
    Ubuntu 8.10:
      liblcms1                        1.16-10ubuntu0.2
      python-liblcms                  1.16-10ubuntu0.2
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    Chris Evans discovered that LittleCMS did not properly handle certain error
    conditions, resulting in a large memory leak. If a user or automated system
    were tricked into processing an image with malicious ICC tags, a remote
    attacker could cause a denial of service. (CVE-2009-0581)
    
    Chris Evans discovered that LittleCMS contained multiple integer overflows.
    If a user or automated system were tricked into processing an image with
    malicious ICC tags, a remote attacker could crash applications linked
    against liblcms1, leading to a denial of service, or possibly execute
    arbitrary code with user privileges. (CVE-2009-0723)
    
    Chris Evans discovered that LittleCMS did not properly perform bounds
    checking, leading to a buffer overflow. If a user or automated system were
    tricked into processing an image with malicious ICC tags, a remote attacker
    could execute arbitrary code with user privileges. (CVE-2009-0733)
    
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2.diff.gz
          Size/MD5:    16399 ed8d931b572458a98ad21c867d5f2487
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2.dsc
          Size/MD5:      647 a3baf912284c86827f6c3fb0dcac98ef
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13.orig.tar.gz
          Size/MD5:   585735 e627f43bbbd238895502402d942a6cfd
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_amd64.deb
          Size/MD5:   137660 29da157489a51641ae67d41b30be3ede
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_amd64.deb
          Size/MD5:   129768 f4d40f5a5f5e1ab682b10f672f6b4854
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_amd64.deb
          Size/MD5:    40502 a7cbcd2f32516ff4b5b9a852a4b9f70b
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_i386.deb
          Size/MD5:   124334 03d7898a87db8d20e2605fdb12ba1106
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_i386.deb
          Size/MD5:   118866 92d506d6462e2a1a8664171f9ea794c5
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_i386.deb
          Size/MD5:    37308 70dfcdb72c41765ad6e2eeb28ad547f1
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_powerpc.deb
          Size/MD5:   132024 f5353a5fe0ecfd5aa08a3b7f03c998d5
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_powerpc.deb
          Size/MD5:   132484 c241cd5c31b808480852bcd888d7bf33
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_powerpc.deb
          Size/MD5:    44362 492040ce637ad39508f0a23f8e70887b
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_sparc.deb
          Size/MD5:   134932 e075347c7c6baca7ee5d3ae60f4c63f1
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_sparc.deb
          Size/MD5:   125634 ea807c79db6752f9595f6eba6f2d0111
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_sparc.deb
          Size/MD5:    38698 d0a84d8c4cf1a810a68a295f4639f1ea
    
    Updated packages for Ubuntu 7.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2.diff.gz
          Size/MD5:    25546 6d57bd85f90041967dd888a13c543c6b
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2.dsc
          Size/MD5:     1015 e4d0440673a46a5bd817b9eceaecaecf
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
          Size/MD5:   911546 b07b623f3e712373ff713fb32cf23651
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_amd64.deb
          Size/MD5:   675488 388c442370fc7967bd286897c4f239d6
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_amd64.deb
          Size/MD5:   105052 16ab9288c04e0b94a9a8738b47a97110
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_amd64.deb
          Size/MD5:    58286 e73aa168732afdb0910ee116a6eef129
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_amd64.deb
          Size/MD5:   161084 e4436b4fedf7b2a6191450784cca3d16
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_i386.deb
          Size/MD5:   626656 f40f43aab6f5c0a1e1f7f7f495e54589
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_i386.deb
          Size/MD5:    98788 b73751edf000dbf987ddb9df72d65bb1
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_i386.deb
          Size/MD5:    54738 9b8bde7acdc4d5b1ff0a6b64e01f6d70
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_i386.deb
          Size/MD5:   152060 5727b6b98955c53cecb3b25c8848e419
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_lpia.deb
          Size/MD5:   628756 21ef105956daf49e251122f9bc9f1c6b
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_lpia.deb
          Size/MD5:    97530 5be86a2f6d2307ccf0d93557132cc76b
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_lpia.deb
          Size/MD5:    55090 91144d0968cde6dd6c4c015f4f7d9627
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_lpia.deb
          Size/MD5:   148344 7117264c524024da8165a35e9e28a058
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_powerpc.deb
          Size/MD5:   764002 ed174a8221d6465cdb29553ee885a72f
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_powerpc.deb
          Size/MD5:   115248 7f73acafbfe531d4f0f9540b6dc7412f
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_powerpc.deb
          Size/MD5:    71982 ad80e7128d1853c63971f413435f9a71
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_powerpc.deb
          Size/MD5:   169926 d388443a572601382b2bfa06656e239a
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_sparc.deb
          Size/MD5:   658642 0b9646029e86357185a8f9c4f091bc69
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_sparc.deb
          Size/MD5:   100794 3b0522813ccc70f75fb4e9dec7fc4e9c
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_sparc.deb
          Size/MD5:    58342 1339297fb81a7414b0df67fce4f0ee3a
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_sparc.deb
          Size/MD5:   160214 06a65eb2ee41a155152efa32faabc3b5
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2.diff.gz
          Size/MD5:    25728 059a45efcc1bae919504f7ec802efdd6
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2.dsc
          Size/MD5:     1015 f6b20c88c9806747f5de29c02f9894b5
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
          Size/MD5:   911546 b07b623f3e712373ff713fb32cf23651
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_amd64.deb
          Size/MD5:   671500 c7dca7c05efcac13d42129f5b49fa885
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_amd64.deb
          Size/MD5:   102618 93fef15514a704d2de1eaed4b252c115
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_amd64.deb
          Size/MD5:    58628 88880fd38759ffe74bcf4d2c7a02bcc7
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_amd64.deb
          Size/MD5:   160744 cfb18ac1863e146b46191c44e2dc6a5f
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_i386.deb
          Size/MD5:   623060 9933b7312e23ffa180ff4c09aede9120
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_i386.deb
          Size/MD5:    96198 3e217ba7f1f32576b7d02ae8bd4aadca
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_i386.deb
          Size/MD5:    54934 d68dd91d1a1aee88b63c8340f4d01344
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_i386.deb
          Size/MD5:   151784 776a7e1b5560fef837f23a5ace115002
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_lpia.deb
          Size/MD5:   628870 774bd02c36c944c2dac2269a94cc0100
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_lpia.deb
          Size/MD5:    95566 ab3d60ec5641de6d0662e0219cd57e5a
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_lpia.deb
          Size/MD5:    55350 50e094f7ac8eedf5936e5c7ddef90e1c
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_lpia.deb
          Size/MD5:   148450 217cbd4b8c02ff8df23c728373236d33
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_powerpc.deb
          Size/MD5:   756288 55d0c64d4159f90858507748f22999e0
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_powerpc.deb
          Size/MD5:   111106 cbb834eea02a261ff95f91ae8b2831d3
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_powerpc.deb
          Size/MD5:    72152 409259595d3216ddeedde008b3cf1cf5
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_powerpc.deb
          Size/MD5:   169264 a470e01317920a9e5a169f4250243a4d
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_sparc.deb
          Size/MD5:   655476 09dd2eb67d0e13e2461db7cf00ae085c
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_sparc.deb
          Size/MD5:    98740 9fc94b2b933ca0e3a86af914b124ee58
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_sparc.deb
          Size/MD5:    57760 3cbc1e97417d5e121a4f626bd2f28654
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_sparc.deb
          Size/MD5:   159758 f64230560e7cba2256388e0f91c25e00
    
    Updated packages for Ubuntu 8.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.2.diff.gz
          Size/MD5:    33307 b347c006de69915c5dab5bbd99aa82fa
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.2.dsc
          Size/MD5:     1354 572c5d2e2c22dbaef635368021b8a7c3
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
          Size/MD5:   911546 b07b623f3e712373ff713fb32cf23651
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_amd64.deb
          Size/MD5:   198456 d881445e1669f437f889fe6845ea55b8
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_amd64.deb
          Size/MD5:   107286 9d55d0afc3c28443074e65465916ac45
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_amd64.deb
          Size/MD5:    59438 f72f735da78cf9c678df511f5164236f
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_amd64.deb
          Size/MD5:   158234 691c0c50bf7184e662b4fba0693f70d0
    
      i386 architecture (x86 compatible Intel/AMD):
    
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_i386.deb
          Size/MD5:   192370 a5d482eecd04afac2970757520dd47c1
        http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_i386.deb
          Size/MD5:   100628 55e942db0d7beea1795285a98469fbe1
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_i386.deb
          Size/MD5:    55308 2c788031380f52c237f514796446a75b
        http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_i386.deb
          Size/MD5:   150304 b99f9f88a6952c84ad54e39c3b2bb622
    
      lpia architecture (Low Power Intel Architecture):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_lpia.deb
          Size/MD5:   188986 990370df3b90c3d51bc22c837f738b8b
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_lpia.deb
          Size/MD5:    99768 ab5ae2fac0345f04dac2cd41de8d5528
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_lpia.deb
          Size/MD5:    55666 da79498a812abdc927a21f660f271353
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_lpia.deb
          Size/MD5:   145044 f79ee78633706be128a33f544396b26e
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_powerpc.deb
          Size/MD5:   198206 bdbbcaf53c01e4c2241ae253b55af402
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_powerpc.deb
          Size/MD5:   113512 eda7c793d4b1f084986a6712a9ec63c2
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_powerpc.deb
          Size/MD5:    71934 b26d5a054f022131c138b5a68fa841f5
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_powerpc.deb
          Size/MD5:   165790 357084a7ac7fb3fd61bd5cb23a407e35
    
      sparc architecture (Sun SPARC/UltraSPARC):
    
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_sparc.deb
          Size/MD5:   195826 9232d7265dc65c88420985ee565d02a6
        http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_sparc.deb
          Size/MD5:   101024 64c774ed7d767b8d24e07fd19aa1ad24
        http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_sparc.deb
          Size/MD5:    61116 c60bbdcb8ff337b9f9ef9750ff1acfab
        http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_sparc.deb
          Size/MD5:   158180 268ea56e1620676c9e4bf866814fb99e
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":56.1,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":12.2,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"13","type":"x","order":"3","pct":31.71,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.