USN-744-1: LittleCMS vulnerabilities

Releases

• Ubuntu 8.10
• Ubuntu 8.04
• Ubuntu 7.10
• Ubuntu 6.06

Packages

• lcms -

Details

Chris Evans discovered that LittleCMS did not properly handle certain error
conditions, resulting in a large memory leak. If a user or automated system
were tricked into processing an image with malicious ICC tags, a remote
attacker could cause a denial of service. (CVE-2009-0581)

Chris Evans discovered that LittleCMS contained multiple integer overflows.
If a user or automated system were tricked into processing an image with
malicious ICC tags, a remote attacker could crash applications linked
against liblcms1, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2009-0723)

Chris Evans discovered that LittleCMS did not properly perform bounds
checking, leading to a buffer overflow. If a user or automated system were
tricked into processing an image with malicious ICC tags, a remote attacker
could execute arbitrary code with user privileges. (CVE-2009-0733)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10

• python-liblcms - 1.16-10ubuntu0.2
• liblcms1 - 1.16-10ubuntu0.2

Ubuntu 8.04

• python-liblcms - 1.16-7ubuntu1.2
• liblcms1 - 1.16-7ubuntu1.2

Ubuntu 7.10

• python-liblcms - 1.16-5ubuntu3.2
• liblcms1 - 1.16-5ubuntu3.2

Ubuntu 6.06

• liblcms1 - 1.13-1ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2009-0581
• CVE-2009-0723
• CVE-2009-0733