Re: [Lcms-user] Reporting potential security vulnerabilities in lcms

[Marti]

Thanks Mike,

 

3 of those cases refer to same bug, which I fixed easily.

 

https://github.com/mm2/Little-CMS/commit/a87cb2d1c1242b849e9ce84bd19b8501d14154dd

 

The fourth was already reported to me by chromium team, I guess when they 
discovered it. This is more difficult because you need to create a crafted ICC 
profile in order to trick lcms. I’m on it, will take some days.

 

Regarding severity, IT8 parser is only a helper used by the companion demos. It 
is never used or called on all color management. Otherwise, I like to have all 
code robust and well tested, no matter it is used or not.

 

Thanks again for reporting. A test case has been added to our automated harness 
testbed system, which is similar to what you are using.

 

Best regards

Marti Maria

The LittleCMS project 

http://www.littlecms.com

 

 

 

From: Mike Aizatsky [mailto:aizat...@google.com] 
Sent: Sunday, December 4, 2016 7:53 PM
To: Marti <marti.ma...@littlecms.com>; lcms-user@lists.sourceforge.net
Subject: Re: [Lcms-user] Reporting potential security vulnerabilities in lcms

 

Marti,

 

I've got your e-mail, thanks. I've CC'ed you on all 4 lcms bugs and they should 
be now visible to you:

 

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=142

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=157

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=166

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=192

 

 

Can you check? The view should work as well: 
https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Proj%3Alcms 
<https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Proj%3Alcms&saved=4&sort=-id&ts=1480876967>
 &saved=4&sort=-id&ts=1480876967

 

Here's our reproducing guide:

https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md

 

We used address sanitizer.

 

The code for our fuzzers: 

https://github.com/google/oss-fuzz/blob/master/projects/lcms/cmsIT8_load_fuzzer.c

https://github.com/google/oss-fuzz/blob/master/projects/lcms/cms_transform_fuzzer.c

 

We would really love to see them moved to your repository and integrated with 
your build system.

 

Just feed input bytes to these functions or you can use a standalone driver 
like this:

 

https://reviews.llvm.org/diffusion/L/browse/llvm/trunk/lib/Fuzzer/standalone/StandaloneFuzzTargetMain.c

 

Let me know if you have any questions or problems reproducing.

 

On Sat, Dec 3, 2016 at 1:06 AM Marti <marti.ma...@littlecms.com 
<mailto:marti.ma...@littlecms.com> > wrote:

Hello Mike,

 

At first, I would thank you very much for all the effort you have put in making 
lcms more secure. I appreciate.

 

I will contact you by a separate email from my google account. 

 

If anybody else in the list are interested in this stuff, please let me know. 
Please note this is related to security and therefore I will not publicly list 
the vulnerabilities found. On depending on the severity, I can do a maintenance 
release to deal with that.

 

Best regards

Marti Maria

The LittleCMS project

http://www.littlecms.com

 

 

From: Mike Aizatsky [mailto:aizat...@google.com <mailto:aizat...@google.com> ] 
Sent: Friday, December 2, 2016 7:58 PM
To: lcms-user@lists.sourceforge.net <mailto:lcms-user@lists.sourceforge.net> 
Subject: [Lcms-user] Reporting potential security vulnerabilities in lcms

 

Hi!

 

Our OSS-Fuzz fuzzing effort 
(https://testing.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html)
 has located several potential issues in lcms library (crash, heap use after 
free, heap buffer overflow) using the fuzz targets we developed 
(https://github.com/google/oss-fuzz/tree/master/projects/lcms)

 

These crashes are now filed in a security-protected monorail tracker 
(https://bugs.chromium.org/p/oss-fuzz/issues/list) and we'd like to find lcms 
developers to take a look at them.

 

We will CC developers on these issues to give them access to stack traces and 
reproducer data. For that we'd need an e-mail with associated gmail account.

We will also set up the process to auto-CC these e-mails when we find more 
issues.

 

 

-- 

Mike
Sent from phone

-- 

Mike
Sent from phone


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Lcms-user mailing list
Lcms-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lcms-user