lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <72daeffd0903191924t2e78513frdce3f87eb880d605@mail.gmail.com>
Date: Thu, 19 Mar 2009 19:24:43 -0700
From: Chris Evans <scarybeasts@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: LittleCMS vulnerabilities (OpenJDK, Firefox, GIMP,
	etc. impacted)

Hi,

LittleCMS (or lcms) prior to v1.18beta2 contains various integer
overflow, buffer overflow and memory leak errors. At least one of
these bugs is a stack-based buffer overflow which is good for
arbitrary code execution. I have an exploit that works on my
Ubuntu-8.10 laptop but am holding off on releasing it just yet.

The most serious bug is a stack-based buffer overflow in
ReadSetOfCurves() in cmsio1.c. With some code paths, validation of the
number of channels in the ICC profile is not performed. This leads to
an overflow of the "Curves" stack buffer. The overflow data is not
arbitrarily user controlled; it's pointers to heap chunks where the
attacker has partial control over the contents of the heap chunks.
That's good enough for an exploit on many systems.

Full technical details: http://scary.beasts.org/security/CESA-2009-003.html

Blog post: http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html

The blog post goes into a little more detail on which attack surfaces
LittleCMS is present, and which system-level defenses mitigate this
vulnerability.

Cheers
Chris

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ