-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:121 http://www.mandriva.com/security/ _______________________________________________________________________ Package : lcms Date : May 21, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple security vulnerabilities has been identified and fixed in Little cms: A memory leak flaw allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted image file (CVE-2009-0581). Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow (CVE-2009-0723). Multiple stack-based buffer overflows allow remote attackers to execute arbitrary code via a crafted image file associated with a large integer value for the (1) input or (2) output channel (CVE-2009-0733). A flaw in the transformations of monochrome profiles allows remote attackers to cause denial of service triggered by a NULL pointer dereference via a crafted image file (CVE-2009-0793). This update provides fixes for these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0793 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 9a7580fe81323030908640bc50ad5627 2008.1/i586/lcms-1.18-0.1mdv2008.1.i586.rpm a610fd40ca8dfa5a61dbc5aa0273a8ee 2008.1/i586/liblcms1-1.18-0.1mdv2008.1.i586.rpm 8dc0e54d1fe702960377a30485bda276 2008.1/i586/liblcms-devel-1.18-0.1mdv2008.1.i586.rpm cee6b7b46b9264786e5f400c3df20431 2008.1/i586/python-lcms-1.18-0.1mdv2008.1.i586.rpm fffadc37bb922b529603b92db03a60f8 2008.1/SRPMS/lcms-1.18-0.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 905dda903e8d3bd75473da0e70f71fce 2008.1/x86_64/lcms-1.18-0.1mdv2008.1.x86_64.rpm a19547982d852c7573d19af613572146 2008.1/x86_64/lib64lcms1-1.18-0.1mdv2008.1.x86_64.rpm 6b7b47196c922b9ce86378bb7b5eb61d 2008.1/x86_64/lib64lcms-devel-1.18-0.1mdv2008.1.x86_64.rpm bef4303cf6b191434321d5b9cfd5d9c4 2008.1/x86_64/python-lcms-1.18-0.1mdv2008.1.x86_64.rpm fffadc37bb922b529603b92db03a60f8 2008.1/SRPMS/lcms-1.18-0.1mdv2008.1.src.rpm Mandriva Linux 2009.0: f5bf2caf081de92c5799da37e83f39d0 2009.0/i586/lcms-1.18-0.1mdv2009.0.i586.rpm 85f6bbbbefbec9d3490a4c3fbdf9c231 2009.0/i586/liblcms1-1.18-0.1mdv2009.0.i586.rpm 5bcd989e9fedc7ee8c526cfd3d00fd65 2009.0/i586/liblcms-devel-1.18-0.1mdv2009.0.i586.rpm 6caf8993f41da57e0e158aa554354ccf 2009.0/i586/python-lcms-1.18-0.1mdv2009.0.i586.rpm 2c0d76ae5dfc1a23187c29f9fd273095 2009.0/SRPMS/lcms-1.18-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: dd6a45fc122f1ef0011a8359d932227b 2009.0/x86_64/lcms-1.18-0.1mdv2009.0.x86_64.rpm de681b3655fef3bfcf9856280053b50d 2009.0/x86_64/lib64lcms1-1.18-0.1mdv2009.0.x86_64.rpm a91bcf179c1131d0fe60a9d73bdad9ac 2009.0/x86_64/lib64lcms-devel-1.18-0.1mdv2009.0.x86_64.rpm 4260c271642bc12a5f79ab5a3220f5f3 2009.0/x86_64/python-lcms-1.18-0.1mdv2009.0.x86_64.rpm 2c0d76ae5dfc1a23187c29f9fd273095 2009.0/SRPMS/lcms-1.18-0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: a02457ee1cc925a81fc0a77ac9b98c24 2009.1/i586/lcms-1.18-1.1mdv2009.1.i586.rpm d6c2717a575aeb525648263e95625c2f 2009.1/i586/liblcms1-1.18-1.1mdv2009.1.i586.rpm 8e087ea8d40a2aa6e8d9dfa2dd0950c1 2009.1/i586/liblcms-devel-1.18-1.1mdv2009.1.i586.rpm 98f26f39aa5640e222466cdcf6ed24f6 2009.1/i586/python-lcms-1.18-1.1mdv2009.1.i586.rpm 32b9e76718ef78efbbe7a597fd4bdb06 2009.1/SRPMS/lcms-1.18-1.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: b4aace6b015870306b4c1c8d2adcefe2 2009.1/x86_64/lcms-1.18-1.1mdv2009.1.x86_64.rpm f05c6dab9d818b0602efa75a929a171a 2009.1/x86_64/lib64lcms1-1.18-1.1mdv2009.1.x86_64.rpm 4d1a1e554c33d73173bc5930fc1a92f6 2009.1/x86_64/lib64lcms-devel-1.18-1.1mdv2009.1.x86_64.rpm 194fc36923e4914fb27c40af8dc80c7a 2009.1/x86_64/python-lcms-1.18-1.1mdv2009.1.x86_64.rpm 32b9e76718ef78efbbe7a597fd4bdb06 2009.1/SRPMS/lcms-1.18-1.1mdv2009.1.src.rpm Corporate 3.0: 1ace45d4de049e1d52a91c5fe84e17b5 corporate/3.0/i586/liblcms1-1.10-1.2.C30mdk.i586.rpm b59d77bd5a8ed230a2a2bc6bfbfeaa8c corporate/3.0/i586/liblcms1-devel-1.10-1.2.C30mdk.i586.rpm ee53e5c9feee02e5289561db727858e7 corporate/3.0/SRPMS/liblcms-1.10-1.2.C30mdk.src.rpm Corporate 3.0/X86_64: 32db1a46a9820ed9661ac8827e57e8c6 corporate/3.0/x86_64/lib64lcms1-1.10-1.2.C30mdk.x86_64.rpm 746aa607bad4b1905a74d002118bdf56 corporate/3.0/x86_64/lib64lcms1-devel-1.10-1.2.C30mdk.x86_64.rpm ee53e5c9feee02e5289561db727858e7 corporate/3.0/SRPMS/liblcms-1.10-1.2.C30mdk.src.rpm Corporate 4.0: 24361175b29470601a26390c8fa3080d corporate/4.0/i586/liblcms1-1.14-1.2.20060mlcs4.i586.rpm 2caf72d253d56cf51cebfcaba3560eee corporate/4.0/i586/liblcms1-devel-1.14-1.2.20060mlcs4.i586.rpm a40dbfb4e5a44e09f101e9e6f8d62c17 corporate/4.0/SRPMS/liblcms-1.14-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 642ce065be2e8f7a2dd78c1bf9f01652 corporate/4.0/x86_64/lib64lcms1-1.14-1.2.20060mlcs4.x86_64.rpm 013930f39a842e899e93ca570a06f339 corporate/4.0/x86_64/lib64lcms1-devel-1.14-1.2.20060mlcs4.x86_64.rpm a40dbfb4e5a44e09f101e9e6f8d62c17 corporate/4.0/SRPMS/liblcms-1.14-1.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKFZjvmqjQ0CJFipgRAkeFAJ9ykO79nVFB8pNFu6GP5pHU2+pq4gCgunzs +XW2vViKxpqHnmeM+tTFN4s= =wTDp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/