[USN-744-1] LittleCMS vulnerabilities
Subject: [USN-744-1] LittleCMS vulnerabilities
From: Marc Deslauriers <marc.deslauriers@canonical.com.>
Reply-To: Ubuntu Security <security@ubuntu.com.>
To: [email protected]
Cc: "[email protected]" <bugtraq@securityfocus.com.>,
[email protected]
X-Original-To: [email protected]
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw=
X-Spam-Score: -13.3
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.149
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-XLbzR5VdoiL1MffJGUo7"
Date: Mon, 23 Mar 2009 14:38:27 -0400
Message-Id: <1237833507.5790.3.camel@mdlinux.technorage.com.>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-XLbzR5VdoiL1MffJGUo7
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-744-1 March 23, 2009
lcms vulnerabilities
CVE-2009-0581, CVE-2009-0723, CVE-2009-0733
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
liblcms1 1.13-1ubuntu0.2
Ubuntu 7.10:
liblcms1 1.16-5ubuntu3.2
python-liblcms 1.16-5ubuntu3.2
Ubuntu 8.04 LTS:
liblcms1 1.16-7ubuntu1.2
python-liblcms 1.16-7ubuntu1.2
Ubuntu 8.10:
liblcms1 1.16-10ubuntu0.2
python-liblcms 1.16-10ubuntu0.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Chris Evans discovered that LittleCMS did not properly handle certain error
conditions, resulting in a large memory leak. If a user or automated system
were tricked into processing an image with malicious ICC tags, a remote
attacker could cause a denial of service. (CVE-2009-0581)
Chris Evans discovered that LittleCMS contained multiple integer overflows.
If a user or automated system were tricked into processing an image with
malicious ICC tags, a remote attacker could crash applications linked
against liblcms1, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2009-0723)
Chris Evans discovered that LittleCMS did not properly perform bounds
checking, leading to a buffer overflow. If a user or automated system were
tricked into processing an image with malicious ICC tags, a remote attacker
could execute arbitrary code with user privileges. (CVE-2009-0733)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2=
.diff.gz
Size/MD5: 16399 ed8d931b572458a98ad21c867d5f2487
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2=
.dsc
Size/MD5: 647 a3baf912284c86827f6c3fb0dcac98ef
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13.orig.tar.g=
z
Size/MD5: 585735 e627f43bbbd238895502402d942a6cfd
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1u=
buntu0.2_amd64.deb
Size/MD5: 137660 29da157489a51641ae67d41b30be3ede
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubunt=
u0.2_amd64.deb
Size/MD5: 129768 f4d40f5a5f5e1ab682b10f672f6b4854
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
13-1ubuntu0.2_amd64.deb
Size/MD5: 40502 a7cbcd2f32516ff4b5b9a852a4b9f70b
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1u=
buntu0.2_i386.deb
Size/MD5: 124334 03d7898a87db8d20e2605fdb12ba1106
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubunt=
u0.2_i386.deb
Size/MD5: 118866 92d506d6462e2a1a8664171f9ea794c5
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
13-1ubuntu0.2_i386.deb
Size/MD5: 37308 70dfcdb72c41765ad6e2eeb28ad547f1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1u=
buntu0.2_powerpc.deb
Size/MD5: 132024 f5353a5fe0ecfd5aa08a3b7f03c998d5
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubunt=
u0.2_powerpc.deb
Size/MD5: 132484 c241cd5c31b808480852bcd888d7bf33
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
13-1ubuntu0.2_powerpc.deb
Size/MD5: 44362 492040ce637ad39508f0a23f8e70887b
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1u=
buntu0.2_sparc.deb
Size/MD5: 134932 e075347c7c6baca7ee5d3ae60f4c63f1
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubunt=
u0.2_sparc.deb
Size/MD5: 125634 ea807c79db6752f9595f6eba6f2d0111
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
13-1ubuntu0.2_sparc.deb
Size/MD5: 38698 d0a84d8c4cf1a810a68a295f4639f1ea
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2=
.diff.gz
Size/MD5: 25546 6d57bd85f90041967dd888a13c543c6b
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2=
.dsc
Size/MD5: 1015 e4d0440673a46a5bd817b9eceaecaecf
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.g=
z
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5u=
buntu3.2_amd64.deb
Size/MD5: 675488 388c442370fc7967bd286897c4f239d6
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubunt=
u3.2_amd64.deb
Size/MD5: 105052 16ab9288c04e0b94a9a8738b47a97110
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-5ubuntu3.2_amd64.deb
Size/MD5: 58286 e73aa168732afdb0910ee116a6eef129
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-5ubuntu3.2_amd64.deb
Size/MD5: 161084 e4436b4fedf7b2a6191450784cca3d16
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5u=
buntu3.2_i386.deb
Size/MD5: 626656 f40f43aab6f5c0a1e1f7f7f495e54589
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubunt=
u3.2_i386.deb
Size/MD5: 98788 b73751edf000dbf987ddb9df72d65bb1
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-5ubuntu3.2_i386.deb
Size/MD5: 54738 9b8bde7acdc4d5b1ff0a6b64e01f6d70
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-5ubuntu3.2_i386.deb
Size/MD5: 152060 5727b6b98955c53cecb3b25c8848e419
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_l=
pia.deb
Size/MD5: 628756 21ef105956daf49e251122f9bc9f1c6b
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_lpia.=
deb
Size/MD5: 97530 5be86a2f6d2307ccf0d93557132cc76b
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu=
3.2_lpia.deb
Size/MD5: 55090 91144d0968cde6dd6c4c015f4f7d9627
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-5ubunt=
u3.2_lpia.deb
Size/MD5: 148344 7117264c524024da8165a35e9e28a058
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5u=
buntu3.2_powerpc.deb
Size/MD5: 764002 ed174a8221d6465cdb29553ee885a72f
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubunt=
u3.2_powerpc.deb
Size/MD5: 115248 7f73acafbfe531d4f0f9540b6dc7412f
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-5ubuntu3.2_powerpc.deb
Size/MD5: 71982 ad80e7128d1853c63971f413435f9a71
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-5ubuntu3.2_powerpc.deb
Size/MD5: 169926 d388443a572601382b2bfa06656e239a
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5u=
buntu3.2_sparc.deb
Size/MD5: 658642 0b9646029e86357185a8f9c4f091bc69
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubunt=
u3.2_sparc.deb
Size/MD5: 100794 3b0522813ccc70f75fb4e9dec7fc4e9c
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-5ubuntu3.2_sparc.deb
Size/MD5: 58342 1339297fb81a7414b0df67fce4f0ee3a
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-5ubuntu3.2_sparc.deb
Size/MD5: 160214 06a65eb2ee41a155152efa32faabc3b5
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2=
.diff.gz
Size/MD5: 25728 059a45efcc1bae919504f7ec802efdd6
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2=
.dsc
Size/MD5: 1015 f6b20c88c9806747f5de29c02f9894b5
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.g=
z
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7u=
buntu1.2_amd64.deb
Size/MD5: 671500 c7dca7c05efcac13d42129f5b49fa885
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubunt=
u1.2_amd64.deb
Size/MD5: 102618 93fef15514a704d2de1eaed4b252c115
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-7ubuntu1.2_amd64.deb
Size/MD5: 58628 88880fd38759ffe74bcf4d2c7a02bcc7
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-7ubuntu1.2_amd64.deb
Size/MD5: 160744 cfb18ac1863e146b46191c44e2dc6a5f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7u=
buntu1.2_i386.deb
Size/MD5: 623060 9933b7312e23ffa180ff4c09aede9120
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubunt=
u1.2_i386.deb
Size/MD5: 96198 3e217ba7f1f32576b7d02ae8bd4aadca
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-7ubuntu1.2_i386.deb
Size/MD5: 54934 d68dd91d1a1aee88b63c8340f4d01344
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-7ubuntu1.2_i386.deb
Size/MD5: 151784 776a7e1b5560fef837f23a5ace115002
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_l=
pia.deb
Size/MD5: 628870 774bd02c36c944c2dac2269a94cc0100
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_lpia.=
deb
Size/MD5: 95566 ab3d60ec5641de6d0662e0219cd57e5a
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu=
1.2_lpia.deb
Size/MD5: 55350 50e094f7ac8eedf5936e5c7ddef90e1c
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubunt=
u1.2_lpia.deb
Size/MD5: 148450 217cbd4b8c02ff8df23c728373236d33
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_p=
owerpc.deb
Size/MD5: 756288 55d0c64d4159f90858507748f22999e0
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_power=
pc.deb
Size/MD5: 111106 cbb834eea02a261ff95f91ae8b2831d3
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu=
1.2_powerpc.deb
Size/MD5: 72152 409259595d3216ddeedde008b3cf1cf5
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubunt=
u1.2_powerpc.deb
Size/MD5: 169264 a470e01317920a9e5a169f4250243a4d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_s=
parc.deb
Size/MD5: 655476 09dd2eb67d0e13e2461db7cf00ae085c
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_sparc=
.deb
Size/MD5: 98740 9fc94b2b933ca0e3a86af914b124ee58
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu=
1.2_sparc.deb
Size/MD5: 57760 3cbc1e97417d5e121a4f626bd2f28654
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubunt=
u1.2_sparc.deb
Size/MD5: 159758 f64230560e7cba2256388e0f91c25e00
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.=
2.diff.gz
Size/MD5: 33307 b347c006de69915c5dab5bbd99aa82fa
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.=
2.dsc
Size/MD5: 1354 572c5d2e2c22dbaef635368021b8a7c3
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.g=
z
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10=
ubuntu0.2_amd64.deb
Size/MD5: 198456 d881445e1669f437f889fe6845ea55b8
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubun=
tu0.2_amd64.deb
Size/MD5: 107286 9d55d0afc3c28443074e65465916ac45
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-10ubuntu0.2_amd64.deb
Size/MD5: 59438 f72f735da78cf9c678df511f5164236f
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-10ubuntu0.2_amd64.deb
Size/MD5: 158234 691c0c50bf7184e662b4fba0693f70d0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10=
ubuntu0.2_i386.deb
Size/MD5: 192370 a5d482eecd04afac2970757520dd47c1
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubun=
tu0.2_i386.deb
Size/MD5: 100628 55e942db0d7beea1795285a98469fbe1
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.=
16-10ubuntu0.2_i386.deb
Size/MD5: 55308 2c788031380f52c237f514796446a75b
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1=
.16-10ubuntu0.2_i386.deb
Size/MD5: 150304 b99f9f88a6952c84ad54e39c3b2bb622
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_=
lpia.deb
Size/MD5: 188986 990370df3b90c3d51bc22c837f738b8b
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_lpia=
.deb
Size/MD5: 99768 ab5ae2fac0345f04dac2cd41de8d5528
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubunt=
u0.2_lpia.deb
Size/MD5: 55666 da79498a812abdc927a21f660f271353
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubun=
tu0.2_lpia.deb
Size/MD5: 145044 f79ee78633706be128a33f544396b26e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_=
powerpc.deb
Size/MD5: 198206 bdbbcaf53c01e4c2241ae253b55af402
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_powe=
rpc.deb
Size/MD5: 113512 eda7c793d4b1f084986a6712a9ec63c2
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubunt=
u0.2_powerpc.deb
Size/MD5: 71934 b26d5a054f022131c138b5a68fa841f5
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubun=
tu0.2_powerpc.deb
Size/MD5: 165790 357084a7ac7fb3fd61bd5cb23a407e35
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_=
sparc.deb
Size/MD5: 195826 9232d7265dc65c88420985ee565d02a6
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_spar=
c.deb
Size/MD5: 101024 64c774ed7d767b8d24e07fd19aa1ad24
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubunt=
u0.2_sparc.deb
Size/MD5: 61116 c60bbdcb8ff337b9f9ef9750ff1acfab
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubun=
tu0.2_sparc.deb
Size/MD5: 158180 268ea56e1620676c9e4bf866814fb99e
--=-XLbzR5VdoiL1MffJGUo7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAknH1yAACgkQLMAs/0C4zNpIxACeO1802hK4hTn9k965alsde3IY
0egAoJuubDrgvLWB+sBiahlcGfA1Y3/r
=lK+o
-----END PGP SIGNATURE-----
--=-XLbzR5VdoiL1MffJGUo7--