[lfs-patches] r3175 - trunk/lcms

fernando at higgs.linuxfromscratch.org fernando at higgs.linuxfromscratch.org
Tue Mar 24 17:15:24 PDT 2015


Author: fernando
Date: Tue Mar 24 17:15:24 2015
New Revision: 3175

Log:
Add security patch to Little CMS-1.19.

Added:
   trunk/lcms/lcms-1.19-cve_2013_4276-1.patch

Added: trunk/lcms/lcms-1.19-cve_2013_4276-1.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ trunk/lcms/lcms-1.19-cve_2013_4276-1.patch	Tue Mar 24 17:15:24 2015	(r3175)
@@ -0,0 +1,74 @@
+Submitted By:            Fernando de Oliveira <famobr at yahoo dot com dot br>
+Date:                    2015-03-24
+Initial Package Version: 2.7.7
+Upstream Status:         unknown
+Origin:                  Arch Linux
+URL (CVE):               https://www.suse.com/security/cve/CVE-2013-4276.html
+Description:             Multiple stack-based buffer overflows in LittleCMS
+                         (aka lcms or liblcms) 1.19 and earlier allow remote
+                         attackers to cause a denial of service (crash) via a
+                         crafted (1) ICC color profile to the icctrans utility
+                         or (2) TIFF image to the tiffdiff utility.
+
+diff -ur lcms-1.19.dfsg/samples/icctrans.c lcms-1.19.dfsg-patched/samples/icctrans.c
+--- lcms-1.19.dfsg/samples/icctrans.c	2009-10-30 15:57:45.000000000 +0000
++++ lcms-1.19.dfsg-patched/samples/icctrans.c	2013-08-06 11:53:14.385266647 +0100
+@@ -86,6 +86,8 @@
+ static LPcmsNAMEDCOLORLIST InputColorant = NULL;
+ static LPcmsNAMEDCOLORLIST OutputColorant = NULL;
+ 
++unsigned int Buffer_size = 4096;
++
+ 
+ // isatty replacement
+ 
+@@ -500,7 +502,7 @@
+ 
+     Prefix[0] = 0;
+     if (!lTerse)
+-        sprintf(Prefix, "%s=", C);
++        snprintf(Prefix, 20, "%s=", C);
+ 
+     if (InHexa)
+     {
+@@ -648,7 +650,9 @@
+ static
+ void GetLine(char* Buffer)
+ {    
+-    scanf("%s", Buffer);
++    char User_buffer[Buffer_size];
++    fgets(User_buffer, (Buffer_size - 1), stdin);
++    sscanf(User_buffer,"%s", Buffer);
+     
+     if (toupper(Buffer[0]) == 'Q') { // Quit?
+ 
+@@ -668,7 +672,7 @@
+ static
+ double GetAnswer(const char* Prompt, double Range)
+ {
+-    char Buffer[4096];
++    char Buffer[Buffer_size];
+     double val = 0.0;
+ 	       
+     if (Range == 0.0) {              // Range 0 means double value
+@@ -738,7 +742,7 @@
+ static
+ WORD GetIndex(void)
+ {
+-    char Buffer[4096], Name[40], Prefix[40], Suffix[40];
++    char Buffer[Buffer_size], Name[40], Prefix[40], Suffix[40];
+     int index, max;
+ 
+     max = cmsNamedColorCount(hTrans)-1;
+diff -ur lcms-1.19.dfsg/tifficc/tiffdiff.c lcms-1.19.dfsg-patched/tifficc/tiffdiff.c
+--- lcms-1.19.dfsg/tifficc/tiffdiff.c	2009-10-30 15:57:46.000000000 +0000
++++ lcms-1.19.dfsg-patched/tifficc/tiffdiff.c	2013-08-06 11:49:06.698951157 +0100
+@@ -633,7 +633,7 @@
+     cmsIT8SetSheetType(hIT8, "TIFFDIFF");
+     
+    
+-    sprintf(Buffer, "Differences between %s and %s", TiffName1, TiffName2);
++    snprintf(Buffer, 256, "Differences between %s and %s", TiffName1, TiffName2);
+   
+     cmsIT8SetComment(hIT8, Buffer);
+ 


More information about the patches mailing list