USN-744-1: LittleCMS vulnerabilities

23 March 2009

LittleCMS vulnerabilities

Releases

Packages

Details

Chris Evans discovered that LittleCMS did not properly handle certain error
conditions, resulting in a large memory leak. If a user or automated system
were tricked into processing an image with malicious ICC tags, a remote
attacker could cause a denial of service. (CVE-2009-0581)

Chris Evans discovered that LittleCMS contained multiple integer overflows.
If a user or automated system were tricked into processing an image with
malicious ICC tags, a remote attacker could crash applications linked
against liblcms1, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2009-0723)

Chris Evans discovered that LittleCMS did not properly perform bounds
checking, leading to a buffer overflow. If a user or automated system were
tricked into processing an image with malicious ICC tags, a remote attacker
could execute arbitrary code with user privileges. (CVE-2009-0733)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
Ubuntu 8.04
Ubuntu 7.10
Ubuntu 6.06

In general, a standard system upgrade is sufficient to effect the
necessary changes.