Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 22 Jul 2013 02:26:28 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Marcus Meissner <meissner@...e.de>
Subject: Re: CVE Request: OpenJDK and lcms2 2.5 release fixes
 various denial of service issues in lcms2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/18/2013 06:40 AM, Marcus Meissner wrote:
> Hi,
> 
> The lcms2 2.4 -> 2.5 version upgrade fixes various crashes that
> could be used by attackers to crash (NULL ptr deref) programs using
> lcms2, like e.g. OpenJDK 7
> 
> This was found in the embedded copy within OpenJDK7 first, then
> merged to lcms2.
> 
> http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023895.html
>
>  lcms2 related issues in there: * S8007925: Improve
> cmsStageAllocLabV2ToV4curves * S8007926: Improve cmsPipelineDup *
> S8007927: Improve cmsAllocProfileSequenceDescription * S8007929:
> Improve CurvesAlloc * S8009654: Improve stability of cmsnamed
> 
> All covered by lcms2 in this commit (I think): 
> https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9
>
>  These probably can get just 1 CVE, although I do not know the
> OpenJDK IcedTea side of the story.
> 
> https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 has the
> research into more of these stability commits in lcms2 by my
> colleague Stanislav Brabec. Not sure if they should get seperate
> CVEs or not.
> 
> Ciao, Marcus

Please use CVE-2013-4160 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR7Oy0AAoJEBYNRVNeJnmTI3UP/ilQRQCahbiqxisBhukMHQ2B
aV7tM+nHl5gA91hugA8uPn3HJ6NSRG1J2KDRCn066ZsRxHwy8WAerTM7xzq2sMyB
MPH5svDq+xcu4FlbdI+dz7/2DB0RBxsNZjQIr86GzdhucpTQeLch85rN8wrj/phu
P1O7/UpmF5iaq+SJJLqsWlzZLp3C2RD6o/SoNwh2J2AXdro5owpkgrK26+QBL0Bs
3vtpH9tWpe0qROLVV7Q18lco9G4XLbQufXLKRIDI+r76UfySOgR9qi4Pl6b6Jz76
5jWbUinbPXCBHX4icDedK+qjqUkt79ydpTqDhJX5lGaZfoKmTitGUhItoqstfyxp
Wx04wDYzIHHCsJSBNVTySmY/XJYKfGTK6mivSfsrDJbeAVbQ6qTFfDEaeUktWkA4
ivSxh/7LzqwKv+BOdIAOJgKwixEa8m4zv0zi8pslb0W9lkHLZJPy0iQr7FTytgh9
pXJ5hN3aFRiqKtrNIOD8dMaO+wP3SgM/QaIOAPLgHcK14tJxS23jdogPeKJFXAWi
c2KxYG8U5P/kHxnwu/VTtUYUHIO9g3meVhizRaNGZIkCnjxjjH9Q4kpGObLTn3+M
a9o13wPtU78ESyC3AaJmFSpcGJUIE2KmMiHqCdzfCZeKvNJPeaBY/ZJnOQubnH3b
MuqH4HxRmnfYgYPaUMmO
=8u9n
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ