Security Advisory Moderate: lcms security update

Advisory: RHSA-2009:0011-9
Type: Security Advisory
Severity: Moderate
Issued on: 2009-01-07
Last updated on: 2009-01-07
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.2.z server)
OVAL: com.redhat.rhsa-20090011.xml
CVEs (cve.mitre.org): CVE-2008-5316
CVE-2008-5317

Details

Updated lcms packages that resolve several security issues are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Little Color Management System (LittleCMS, or simply "lcms") is a
small-footprint, speed-optimized open source color management engine.

Multiple insufficient input validation flaws were discovered in LittleCMS.
An attacker could use these flaws to create a specially-crafted image file
which could cause an application using LittleCMS to crash, or, possibly,
execute arbitrary code when opened. (CVE-2008-5316, CVE-2008-5317)

Users of lcms should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
lcms library must be restarted for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
lcms-1.15-1.2.2.el5_2.2.src.rpm
File outdated by:  RHSA-2009:0339		     2c245b106c3807d283284c9d7b13cf39
 
IA-32:
lcms-devel-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     fb56c44f61d9cd3ff6a180a9a58dc619
 
x86_64:
lcms-devel-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     fb56c44f61d9cd3ff6a180a9a58dc619
lcms-devel-1.15-1.2.2.el5_2.2.x86_64.rpm
File outdated by:  RHSA-2009:0339		     031b7b535721510ed5ae4c6ae7a164d0
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
lcms-1.15-1.2.2.el5_2.2.src.rpm
File outdated by:  RHSA-2009:0339		     2c245b106c3807d283284c9d7b13cf39
 
IA-32:
lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     c48388004fccf264724a630d76a09b5e
lcms-devel-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     fb56c44f61d9cd3ff6a180a9a58dc619
python-lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     289eeafdbced3ff2f9feef1dfc4f1a3e
 
IA-64:
lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     c48388004fccf264724a630d76a09b5e
lcms-1.15-1.2.2.el5_2.2.ia64.rpm
File outdated by:  RHSA-2009:0339		     8b0d6cff74af4558ba9697f08768aa04
lcms-devel-1.15-1.2.2.el5_2.2.ia64.rpm
File outdated by:  RHSA-2009:0339		     7e9f6bfc75ebe6e6ef499732f70ec344
python-lcms-1.15-1.2.2.el5_2.2.ia64.rpm
File outdated by:  RHSA-2009:0339		     52dbaccc4f0a9692e9dd5e5e4c202f88
 
PPC:
lcms-1.15-1.2.2.el5_2.2.ppc.rpm
File outdated by:  RHSA-2009:0339		     f34a4fd796183681d4a3bb40becd2b31
lcms-1.15-1.2.2.el5_2.2.ppc64.rpm
File outdated by:  RHSA-2009:0339		     dd44f54566f0478124b1ac0830bf1a92
lcms-devel-1.15-1.2.2.el5_2.2.ppc.rpm
File outdated by:  RHSA-2009:0339		     c8258069f1339dab92e66db028e74eb0
lcms-devel-1.15-1.2.2.el5_2.2.ppc64.rpm
File outdated by:  RHSA-2009:0339		     5fd7e0c61b8bfb6ae94d107d3aa82352
python-lcms-1.15-1.2.2.el5_2.2.ppc.rpm
File outdated by:  RHSA-2009:0339		     3516a046cfc75944520b266768eaefbb
 
s390x:
lcms-1.15-1.2.2.el5_2.2.s390.rpm
File outdated by:  RHSA-2009:0339		     134689835a226daaddf7422c23bf91e7
lcms-1.15-1.2.2.el5_2.2.s390x.rpm
File outdated by:  RHSA-2009:0339		     7ccc7e8629de91cacd9c8ab38bf063d8
lcms-devel-1.15-1.2.2.el5_2.2.s390.rpm
File outdated by:  RHSA-2009:0339		     54a49857814cc29d1b765157f998b0e9
lcms-devel-1.15-1.2.2.el5_2.2.s390x.rpm
File outdated by:  RHSA-2009:0339		     48611bd0ef84958e51b28067be557fa2
python-lcms-1.15-1.2.2.el5_2.2.s390x.rpm
File outdated by:  RHSA-2009:0339		     f4459f2929759fa02f6332e98e2ba918
 
x86_64:
lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     c48388004fccf264724a630d76a09b5e
lcms-1.15-1.2.2.el5_2.2.x86_64.rpm
File outdated by:  RHSA-2009:0339		     42c32538ae803e60274b9c3dc69eaf9c
lcms-devel-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     fb56c44f61d9cd3ff6a180a9a58dc619
lcms-devel-1.15-1.2.2.el5_2.2.x86_64.rpm
File outdated by:  RHSA-2009:0339		     031b7b535721510ed5ae4c6ae7a164d0
python-lcms-1.15-1.2.2.el5_2.2.x86_64.rpm
File outdated by:  RHSA-2009:0339		     276221b85ce0637a7ba331f7cb4e3cc9
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
lcms-1.15-1.2.2.el5_2.2.src.rpm
File outdated by:  RHSA-2009:0339		     2c245b106c3807d283284c9d7b13cf39
 
IA-32:
lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     c48388004fccf264724a630d76a09b5e
python-lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     289eeafdbced3ff2f9feef1dfc4f1a3e
 
x86_64:
lcms-1.15-1.2.2.el5_2.2.i386.rpm
File outdated by:  RHSA-2009:0339		     c48388004fccf264724a630d76a09b5e
lcms-1.15-1.2.2.el5_2.2.x86_64.rpm
File outdated by:  RHSA-2009:0339		     42c32538ae803e60274b9c3dc69eaf9c
python-lcms-1.15-1.2.2.el5_2.2.x86_64.rpm
File outdated by:  RHSA-2009:0339		     276221b85ce0637a7ba331f7cb4e3cc9
 
Red Hat Enterprise Linux EUS (v. 5.2.z server)
SRPMS:
lcms-1.15-1.2.2.el5_2.2.src.rpm
File outdated by:  RHSA-2009:0339		     2c245b106c3807d283284c9d7b13cf39
 
IA-32:
lcms-1.15-1.2.2.el5_2.2.i386.rpm     c48388004fccf264724a630d76a09b5e
lcms-devel-1.15-1.2.2.el5_2.2.i386.rpm     fb56c44f61d9cd3ff6a180a9a58dc619
python-lcms-1.15-1.2.2.el5_2.2.i386.rpm     289eeafdbced3ff2f9feef1dfc4f1a3e
 
IA-64:
lcms-1.15-1.2.2.el5_2.2.i386.rpm     c48388004fccf264724a630d76a09b5e
lcms-1.15-1.2.2.el5_2.2.ia64.rpm     8b0d6cff74af4558ba9697f08768aa04
lcms-devel-1.15-1.2.2.el5_2.2.ia64.rpm     7e9f6bfc75ebe6e6ef499732f70ec344
python-lcms-1.15-1.2.2.el5_2.2.ia64.rpm     52dbaccc4f0a9692e9dd5e5e4c202f88
 
PPC:
lcms-1.15-1.2.2.el5_2.2.ppc.rpm     f34a4fd796183681d4a3bb40becd2b31
lcms-1.15-1.2.2.el5_2.2.ppc64.rpm     dd44f54566f0478124b1ac0830bf1a92
lcms-devel-1.15-1.2.2.el5_2.2.ppc.rpm     c8258069f1339dab92e66db028e74eb0
lcms-devel-1.15-1.2.2.el5_2.2.ppc64.rpm     5fd7e0c61b8bfb6ae94d107d3aa82352
python-lcms-1.15-1.2.2.el5_2.2.ppc.rpm     3516a046cfc75944520b266768eaefbb
 
s390x:
lcms-1.15-1.2.2.el5_2.2.s390.rpm     134689835a226daaddf7422c23bf91e7
lcms-1.15-1.2.2.el5_2.2.s390x.rpm     7ccc7e8629de91cacd9c8ab38bf063d8
lcms-devel-1.15-1.2.2.el5_2.2.s390.rpm     54a49857814cc29d1b765157f998b0e9
lcms-devel-1.15-1.2.2.el5_2.2.s390x.rpm     48611bd0ef84958e51b28067be557fa2
python-lcms-1.15-1.2.2.el5_2.2.s390x.rpm     f4459f2929759fa02f6332e98e2ba918
 
x86_64:
lcms-1.15-1.2.2.el5_2.2.i386.rpm     c48388004fccf264724a630d76a09b5e
lcms-1.15-1.2.2.el5_2.2.x86_64.rpm     42c32538ae803e60274b9c3dc69eaf9c
lcms-devel-1.15-1.2.2.el5_2.2.i386.rpm     fb56c44f61d9cd3ff6a180a9a58dc619
lcms-devel-1.15-1.2.2.el5_2.2.x86_64.rpm     031b7b535721510ed5ae4c6ae7a164d0
python-lcms-1.15-1.2.2.el5_2.2.x86_64.rpm     276221b85ce0637a7ba331f7cb4e3cc9
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

473462 - CVE-2008-5316 lcms: insufficient input validation in ReadEmbeddedTextTag
473463 - CVE-2008-5317 lcms: unsigned -> signed integer cast issue in cmsAllocGamma


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5316
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5317
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/