oss-sec mailing list archives
CVE Request: OpenJDK and lcms2 2.5 release fixes various denial of service issues in lcms2
From: Marcus Meissner <meissner () suse de>
Date: Thu, 18 Jul 2013 14:40:55 +0200
Hi, The lcms2 2.4 -> 2.5 version upgrade fixes various crashes that could be used by attackers to crash (NULL ptr deref) programs using lcms2, like e.g. OpenJDK 7 This was found in the embedded copy within OpenJDK7 first, then merged to lcms2. http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-July/023895.html lcms2 related issues in there: * S8007925: Improve cmsStageAllocLabV2ToV4curves * S8007926: Improve cmsPipelineDup * S8007927: Improve cmsAllocProfileSequenceDescription * S8007929: Improve CurvesAlloc * S8009654: Improve stability of cmsnamed All covered by lcms2 in this commit (I think): https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9 These probably can get just 1 CVE, although I do not know the OpenJDK IcedTea side of the story. https://bugzilla.novell.com/show_bug.cgi?id=826097#c9 has the research into more of these stability commits in lcms2 by my colleague Stanislav Brabec. Not sure if they should get seperate CVEs or not. Ciao, Marcus
Current thread:
- CVE Request: OpenJDK and lcms2 2.5 release fixes various denial of service issues in lcms2 Marcus Meissner (Jul 18)