Skip to navigation

Security Advisory Moderate: lcms security update

Advisory: RHSA-2009:0339-11
Type: Security Advisory
Severity: Moderate
Issued on: 2009-03-19
Last updated on: 2009-03-19
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
Red Hat Enterprise Linux Long Life (v. 5.3 server)
CVEs (cve.mitre.org): CVE-2009-0581
CVE-2009-0723
CVE-2009-0733

Details

Updated lcms packages that resolve several security issues are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Little Color Management System (LittleCMS, or simply "lcms") is a
small-footprint, speed-optimized open source color management engine.

Multiple integer overflow flaws which could lead to heap-based buffer
overflows, as well as multiple insufficient input validation flaws, were
found in LittleCMS. An attacker could use these flaws to create a
specially-crafted image file which could cause an application using
LittleCMS to crash, or, possibly, execute arbitrary code when opened by a
victim. (CVE-2009-0723, CVE-2009-0733)

A memory leak flaw was found in LittleCMS. An application using LittleCMS
could use excessive amount of memory, and possibly crash after using all
available memory, if used to open specially-crafted images. (CVE-2009-0581)

Red Hat would like to thank Chris Evans from the Google Security Team for
reporting these issues.

All users of LittleCMS should install these updated packages, which upgrade
LittleCMS to version 1.18. All running applications using the lcms library
must be restarted for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
lcms-1.18-0.1.beta1.el5_3.2.src.rpm     MD5: 55710b50ae5f7c7225af331c7138b6a2
 
IA-32:
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
 
x86_64:
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
lcms-devel-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 56d88029c18f801294b687f87e903199
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
lcms-1.18-0.1.beta1.el5_3.2.src.rpm     MD5: 55710b50ae5f7c7225af331c7138b6a2
 
IA-32:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
python-lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 3bd3e993956af3237a875a2a583fe757
 
IA-64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: 435481e96e5e40820131db506376b6a9
lcms-devel-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: 4b28b871acbe0e1d414cc2ee63404f2f
python-lcms-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: b810378a594a747b49b32f4c31b5b3b3
 
PPC:
lcms-1.18-0.1.beta1.el5_3.2.ppc.rpm     MD5: 60def1706ba2a6077789aa2cb9ee7508
lcms-1.18-0.1.beta1.el5_3.2.ppc64.rpm     MD5: 4e6168b1634d44085bebf04f9b94733d
lcms-devel-1.18-0.1.beta1.el5_3.2.ppc.rpm     MD5: c59cc6a5cbf1bdf055c5d94e0a7d2dea
lcms-devel-1.18-0.1.beta1.el5_3.2.ppc64.rpm     MD5: 6e3511fd37fc046168c2990e1448b124
python-lcms-1.18-0.1.beta1.el5_3.2.ppc.rpm     MD5: f067a0383c9ab5c4e2d499ededa95899
 
s390x:
lcms-1.18-0.1.beta1.el5_3.2.s390.rpm     MD5: ef078a33b4a92739b36242e4c160bd01
lcms-1.18-0.1.beta1.el5_3.2.s390x.rpm     MD5: e588cfa0b0f3b9d717e7aa182a634ce9
lcms-devel-1.18-0.1.beta1.el5_3.2.s390.rpm     MD5: 1866634fa61f51216e3191b8a3652ec7
lcms-devel-1.18-0.1.beta1.el5_3.2.s390x.rpm     MD5: b68f7c32fb0078021ebe587c604ad54f
python-lcms-1.18-0.1.beta1.el5_3.2.s390x.rpm     MD5: 081c31809f75e056e143971e279bb2f1
 
x86_64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: c619de145f197354b289fcdbba14d68f
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
lcms-devel-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 56d88029c18f801294b687f87e903199
python-lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 93261466779d5afb04958926422e4e6c
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
lcms-1.18-0.1.beta1.el5_3.2.src.rpm     MD5: 55710b50ae5f7c7225af331c7138b6a2
 
IA-32:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
python-lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 3bd3e993956af3237a875a2a583fe757
 
x86_64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: c619de145f197354b289fcdbba14d68f
python-lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 93261466779d5afb04958926422e4e6c
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)

SRPMS:
lcms-1.18-0.1.beta1.el5_3.2.src.rpm     MD5: 55710b50ae5f7c7225af331c7138b6a2
 
IA-32:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
python-lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 3bd3e993956af3237a875a2a583fe757
 
IA-64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: 435481e96e5e40820131db506376b6a9
lcms-devel-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: 4b28b871acbe0e1d414cc2ee63404f2f
python-lcms-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: b810378a594a747b49b32f4c31b5b3b3
 
PPC:
lcms-1.18-0.1.beta1.el5_3.2.ppc.rpm     MD5: 60def1706ba2a6077789aa2cb9ee7508
lcms-1.18-0.1.beta1.el5_3.2.ppc64.rpm     MD5: 4e6168b1634d44085bebf04f9b94733d
lcms-devel-1.18-0.1.beta1.el5_3.2.ppc.rpm     MD5: c59cc6a5cbf1bdf055c5d94e0a7d2dea
lcms-devel-1.18-0.1.beta1.el5_3.2.ppc64.rpm     MD5: 6e3511fd37fc046168c2990e1448b124
python-lcms-1.18-0.1.beta1.el5_3.2.ppc.rpm     MD5: f067a0383c9ab5c4e2d499ededa95899
 
s390x:
lcms-1.18-0.1.beta1.el5_3.2.s390.rpm     MD5: ef078a33b4a92739b36242e4c160bd01
lcms-1.18-0.1.beta1.el5_3.2.s390x.rpm     MD5: e588cfa0b0f3b9d717e7aa182a634ce9
lcms-devel-1.18-0.1.beta1.el5_3.2.s390.rpm     MD5: 1866634fa61f51216e3191b8a3652ec7
lcms-devel-1.18-0.1.beta1.el5_3.2.s390x.rpm     MD5: b68f7c32fb0078021ebe587c604ad54f
python-lcms-1.18-0.1.beta1.el5_3.2.s390x.rpm     MD5: 081c31809f75e056e143971e279bb2f1
 
x86_64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: c619de145f197354b289fcdbba14d68f
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
lcms-devel-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 56d88029c18f801294b687f87e903199
python-lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 93261466779d5afb04958926422e4e6c
 
Red Hat Enterprise Linux Long Life (v. 5.3 server)

SRPMS:
lcms-1.18-0.1.beta1.el5_3.2.src.rpm     MD5: 55710b50ae5f7c7225af331c7138b6a2
 
IA-32:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
python-lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 3bd3e993956af3237a875a2a583fe757
 
IA-64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: 435481e96e5e40820131db506376b6a9
lcms-devel-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: 4b28b871acbe0e1d414cc2ee63404f2f
python-lcms-1.18-0.1.beta1.el5_3.2.ia64.rpm     MD5: b810378a594a747b49b32f4c31b5b3b3
 
x86_64:
lcms-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: b231f6ba5c387f803786b23e5dc3f8d0
lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: c619de145f197354b289fcdbba14d68f
lcms-devel-1.18-0.1.beta1.el5_3.2.i386.rpm     MD5: 55d9686a0dcdf5d721b14862097873c7
lcms-devel-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 56d88029c18f801294b687f87e903199
python-lcms-1.18-0.1.beta1.el5_3.2.x86_64.rpm     MD5: 93261466779d5afb04958926422e4e6c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

487508 - CVE-2009-0723 LittleCms integer overflow
487509 - CVE-2009-0581 LittleCms memory leak
487512 - CVE-2009-0733 LittleCms lack of upper-bounds check on sizes


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/