#2009-003 LittleCMS integer errors

Description:

LittleCMS, an open source color management engine, suffers from several
integer errors, resulting in stack based buffer overflows and various heap
errors as well as dangerous memory leaks. Decoding a specially crafted
image file will result in unexpected process termination, Denial Of
Service conditions or arbitrary code execution due to stack overflow.

LittleCMS is used by several Open Source projects including OpenJDK,
Firefox and GIMP.

Affected version:

LittleCMS <= 1.17

The following packages were identified as affected as they statically
include LittleCMS in their own packages.

OpenJDK <= 7 build b48

foo2zjs, N/A

libmng zip archives <= 01009x

Firefox <= 3.1 beta 2

Fixed version:

LittleCMS >= 1.18 beta 2

OpenJDK, N/A

foo2zjs, N/A

libmng zip archives >= 01010x

Firefox, N/A

Credit: vulnerability report received from Chris Evans <cevans [at] google
[dot] com>, Google Security Team.

CVE: CVE-2009-0723 (integer overflows), CVE-2009-0581 (memory leak),
CVE-2009-0733 (lack of upper-ground checks on size)

Timeline:

2009-02-13: vulnerability report and patch received
2009-02-16: contacted littlecms maintainer
2009-02-16: oCERT investigated for other potential affected projects
2009-02-20: maintainer provides updated patch
2009-02-20: reporter provides new patch fixing memory leak
2009-02-21: maintainer provides fixed beta version
2009-02-23: reporter confirms fixes
2009-02-24: contacted affected vendors providing combined security patch
and beta version, recommending the latter
2009-03-02: patch found to break functionality, contacted affected vendors
advising to use only beta version
2009-03-03: reporter provides additional patch based on feedback, patch
provided to vendors
2009-03-06: Debian requests embargo lift
2009-03-08: embargo lifted from 03-09 to 03-19, affected vendors notified
2009-03-20: advisory release

References:
http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html
http://scary.beasts.org/security/CESA-2009-003.html

Permalink:
http://www.ocert.org/advisories/ocert-2009-003.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"