[USN-693-1] LittleCMS vulnerability
Date: Wed, 17 Dec 2008 16:12:50 -0800
From: Kees Cook <kees@ubuntu.com.>
To: ubuntu-security-announce@lists.ubuntu.com
Subject: [USN-693-1] LittleCMS vulnerability
Message-ID: <20081218001250.GV9250@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="xXmbgvnjoT4axfJE"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.63 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--xXmbgvnjoT4axfJE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-693-1 December 17, 2008
LittleCMS vulnerability
CVE-2008-5317
A security issue affects the following Ubuntu releases:
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 7.10:
liblcms1 1.16-5ubuntu3.1
Ubuntu 8.04 LTS:
liblcms1 1.16-7ubuntu1.1
Ubuntu 8.10:
liblcms1 1.16-10ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that certain gamma operations in lcms were not
correctly bounds-checked. If a user or automated system were tricked into
processing a malicious image, a remote attacker could crash applications
linked against liblcms1, leading to a denial of service, or possibly
execute arbitrary code with user privileges.
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.1.diff.gz
Size/MD5: 22270 1b07d069f29de87c948d397bb60f1c63
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.1.dsc
Size/MD5: 1053 52d8cf3618b1d68c4d847807145ff300
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_amd64.deb
Size/MD5: 674464 3ea01d1fb1e43a689d5aafe150702755
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_amd64.deb
Size/MD5: 104172 ebeeb2d5b7dfc5df6cd759900d29f1bd
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_amd64.deb
Size/MD5: 58010 cfc5b383ff04d603270e5e129a100a35
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_amd64.deb
Size/MD5: 160770 6ada95ac551daf18adf83eb0274eb15a
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_i386.deb
Size/MD5: 625654 5bca706031d3f2150a08ae8d4f252b5d
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_i386.deb
Size/MD5: 98032 520b7d9b6f4e9ad58974ea574c594640
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_i386.deb
Size/MD5: 54488 fa816dc4c97ffc22d8200d390ccbfdc3
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_i386.deb
Size/MD5: 151868 6a9d8575a81353384712b8b890c5d3db
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_lpia.deb
Size/MD5: 627708 35acd977e4ca7c9ba06c5a19d708f6a5
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_lpia.deb
Size/MD5: 96818 483f473b4ec36e5baa6cbd87644fb0db
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_lpia.deb
Size/MD5: 54790 10144bba21291ab939b0cbdcc82b39a8
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_lpia.deb
Size/MD5: 148288 d638ba9bac48029ab63942b76086f9ec
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_powerpc.deb
Size/MD5: 763170 75eb4df9ffc2343940521d61386232d8
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_powerpc.deb
Size/MD5: 114370 0f56f9006b051e3f90ac255242ed55da
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_powerpc.deb
Size/MD5: 71750 313ced524c05c5b5524a43a6fe00b3b9
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_powerpc.deb
Size/MD5: 169576 99c75e89acf4c53d2da192131832ab61
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_sparc.deb
Size/MD5: 657440 32a668d688b45caf1b576d375067bab4
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_sparc.deb
Size/MD5: 100078 272239660086573a11e9117150e990a4
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_sparc.deb
Size/MD5: 58090 d337f0c2012f27b06923b7e3bcc151a7
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_sparc.deb
Size/MD5: 160136 8b597e2f473e0df9a1d945f0e442940b
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.1.diff.gz
Size/MD5: 22469 fcf92c912c23a981e7e876e954d8744d
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.1.dsc
Size/MD5: 1053 cf6e6b3ad7d4d531db951e64c96fa6ce
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.1_amd64.deb
Size/MD5: 670458 389170d9ba5385e3b87abd7fea8f250b
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.1_amd64.deb
Size/MD5: 101744 1cdd5f38017276817630c69944817b93
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.1_amd64.deb
Size/MD5: 58356 c0fefad25646dcb4e7f93159c42e6bcc
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.1_amd64.deb
Size/MD5: 160436 b91c09489730b424726d26dfd8a4fe79
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.1_i386.deb
Size/MD5: 622152 844db5648952349416359497203ed5e1
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.1_i386.deb
Size/MD5: 95466 e7d24a75c74c87e420f911d7365b07dc
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.1_i386.deb
Size/MD5: 54672 70c3a777cd083539ea74ba1e1564ab31
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.1_i386.deb
Size/MD5: 151552 b6d5ab5fea28164ee431f2b453677519
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.1_lpia.deb
Size/MD5: 627770 b95154ae17f67303fa343c5e54a8c9af
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.1_lpia.deb
Size/MD5: 94872 53b3adcbc246094250ec98163a46b573
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.1_lpia.deb
Size/MD5: 55092 350254ecdd74305e75127fb3f9e8dd79
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.1_lpia.deb
Size/MD5: 148254 2cd35a66c405452243b4a38b0a1e4453
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.1_powerpc.deb
Size/MD5: 755162 40848281cf1cb5f3bf5c122a7783e391
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.1_powerpc.deb
Size/MD5: 110340 df518facbac1fa8fa3552b44057bc548
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.1_powerpc.deb
Size/MD5: 71892 caa429129d946b7213880e57c0f61b84
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.1_powerpc.deb
Size/MD5: 168896 ca6554614940fced2f6f802e8eb77750
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.1_sparc.deb
Size/MD5: 654668 782d69b57421c081f2016fd9dad8b43d
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.1_sparc.deb
Size/MD5: 98028 3661278c58ed7be1aa7fa65d4ec49203
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.1_sparc.deb
Size/MD5: 57514 71726d5636e96491a3a3fdc1600743b7
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.1_sparc.deb
Size/MD5: 159470 25cdabf9bf9b16771588d58d42503007
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.1.diff.gz
Size/MD5: 29404 eacd820823911007b6b21265abdae350
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.1.dsc
Size/MD5: 1392 c16d4901c439d15942787ce7b9ac6cfb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.1_amd64.deb
Size/MD5: 197204 4b79b0c8731fdf766005eaff996150dc
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.1_amd64.deb
Size/MD5: 106476 5ecee5ef79c27485f1b0129b9d4c1b93
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.1_amd64.deb
Size/MD5: 59174 401a56d3d9cd7bab04a10c6b2cd33365
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.1_amd64.deb
Size/MD5: 158102 9efb209d3c595f41f66d7d26ad8e3588
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.1_i386.deb
Size/MD5: 191302 98aba1dab86b168b6e951f6f3956b5ba
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.1_i386.deb
Size/MD5: 99828 7845d9d8f2fbfa21ee32c3729c2d9868
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.1_i386.deb
Size/MD5: 55068 5efbdd09f294552f6ccabd0e5629c3a2
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.1_i386.deb
Size/MD5: 150090 7666a4cbf4388488b619197f64330064
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.1_lpia.deb
Size/MD5: 187792 8a3293477e04f876ff7c75564536be6b
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.1_lpia.deb
Size/MD5: 98944 79a6c1e8506d75c4dbd35e3e0a4503c9
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.1_lpia.deb
Size/MD5: 55426 28af10c678fd5115a92eba1c163ae720
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.1_lpia.deb
Size/MD5: 144842 f33dbd92568f48569d8f94bfa26c51f8
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.1_powerpc.deb
Size/MD5: 196914 012cf48172fedf8948325e3a256e9af2
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.1_powerpc.deb
Size/MD5: 112694 47dae0b542510d60b1b09d88c5cef85e
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.1_powerpc.deb
Size/MD5: 71708 b6cfa22b59f238b33a9910a7883784cf
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.1_powerpc.deb
Size/MD5: 165428 b390b6ee91a623610fe31af830238711
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.1_sparc.deb
Size/MD5: 194928 32851f26520fcf3c9648262ef8e9f789
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.1_sparc.deb
Size/MD5: 100278 41519fa060778d9262e9a1213f6f5377
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.1_sparc.deb
Size/MD5: 60870 fe6c4d54bda7e4666ab6204dd298941c
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.1_sparc.deb
Size/MD5: 157904 1fe77086778f73964b4caa015182003e
--xXmbgvnjoT4axfJE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net.>
iEYEARECAAYFAklJlYIACgkQH/9LqRcGPm0mHwCfYMWCipR6LACwxtBq4cLe8Ana
scIAnjCHZN5TpyvxrxtILmtSIcwpm1g+
=uAXt
-----END PGP SIGNATURE-----
--xXmbgvnjoT4axfJE--
