LittleCMS: Denial of service — GLSA 201412-46

Multiple buffer overflow flaws and a parser error in LittleCMS could cause Denial of Service.

Affected packages

media-libs/lcms on all architectures
Affected versions < 2.6-r1
Unaffected versions >= 2.6-r1

Background

LittleCMS, or short lcms, is a color management system for working with ICC profiles. It is used by many applications including GIMP and Firefox.

Description

Multiple stack-based buffer overflows and a profile parser error have been found in LittleCMS.

Impact

A remote attacker could entice a user or automated system to open a specially crafted file containing a malicious ICC profile, possibly resulting in a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All LittleCMS users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/lcms-2.6-r1"
 

Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying these packages.

NOTE: Gentoo has discontinued support for the LittleCMS 1.9 branch.

References

Release date
December 26, 2014

Latest revision
December 26, 2014: 1

Severity
normal

Exploitable
remote

Bugzilla entries