oCERT-2009-003 LittleCMS integer errors


LittleCMS, an open source color management engine, suffers from several integer errors, resulting in stack based buffer overflows and various heap errors as well as dangerous memory leaks. Decoding a specially crafted image file will result in unexpected process termination, Denial Of Service conditions or arbitrary code execution due to stack overflow.

LittleCMS is used by several Open Source projects including OpenJDK, Firefox and GIMP.

Affected version:

LittleCMS <= 1.17

The following packages were identified as affected as they statically include LittleCMS in their own packages.

OpenJDK <= 7 build b48

foo2zjs, N/A

libmng zip archives <= 01009x

Firefox <= 3.1 beta 2

Fixed version:

LittleCMS >= 1.18 beta 2

OpenJDK, N/A

foo2zjs, N/A

libmng zip archives >= 01010x

Firefox, N/A

Credit: vulnerability report received from Chris Evans <cevans [at] google [dot] com>, Google Security Team.

CVE: CVE-2009-0723 (integer overflows), CVE-2009-0581 (memory leak), CVE-2009-0733 (lack of upper-ground checks on size)


2009-02-13: vulnerability report and patch received
2009-02-16: contacted littlecms maintainer
2009-02-16: oCERT investigated for other potential affected projects
2009-02-20: maintainer provides updated patch
2009-02-20: reporter provides new patch fixing memory leak
2009-02-21: maintainer provides fixed beta version
2009-02-23: reporter confirms fixes
2009-02-24: contacted affected vendors providing combined security patch and beta version, recommending the latter
2009-03-02: patch found to break functionality, contacted affected vendors advising to use only beta version
2009-03-03: reporter provides additional patch based on feedback, patch provided to vendors
2009-03-06: Debian requests embargo lift
2009-03-08: embargo lifted from 03-09 to 03-19, affected vendors notified
2009-03-20: advisory release