Hi Bob, https://bugzilla.redhat.com/show_bug.cgi?id=492353
But the report is wrong. The bug (if any) was affecting only monochrome profiles used in the output direction so there is no way to (as the report says) "use this flaw to create a specially-crafted image, which could cause an application using LittleCMS to crash, leading to a denial of service". Well, It is hard for me to imagine a way to trick any user to: - Use a monchrome monitor instead of the brand new TFT color he already has. - Download and install a crafted profile for that monocrome monitor. The effect of that would be to make fun of the upset user that would see gimp crashing when trying to display images on that ridiculous configuration. That's all since no code injection was possible. Oh, wait, gimp doesn't support monochrome monitors at all. Anyway, lcms-1.19 has it fixed if you care. Regards Marti Original Message: ----------------- From: Bob Friesenhahn bfrie...@simple.dallas.tx.us Date: Wed, 12 Jan 2011 10:20:54 -0600 (CST) To: lcms-user@lists.sourceforge.net Subject: [Lcms-user] CVE-2009-0073? I see that Ubuntu Linux just released patched lcms 1.18 binaries for CVE-2009-0073 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0073) whcih supposedly is about lcms. This is what the Ubuntu's update tool says about the patch: * debian/patches/CVE-2009-0793.dpatch: SECURITY UPDATE: (LP: #700198) - Fix DoS via a crafted image that triggers execution of incorrect code for "transformations of monochrome profiles." - CVE-2009-0073 Can anyone share the details of this so that we can make sure that the lcms we bundle in our applications is secure? Thanks, Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ ---------------------------------------------------------------------------- -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Lcms-user mailing list Lcms-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lcms-user -------------------------------------------------------------------- mail2web - Check your email from the web at http://link.mail2web.com/mail2web ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Lcms-user mailing list Lcms-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lcms-user
