Submitted By: Fernando de Oliveira Date: 2015-03-24 Initial Package Version: 1.19 Upstream Status: unknown Origin: Arch Linux URL (CVE): https://www.suse.com/security/cve/CVE-2013-4276.html Description: Multiple stack-based buffer overflows in LittleCMS (aka lcms or liblcms) 1.19 and earlier allow remote attackers to cause a denial of service (crash) via a crafted (1) ICC color profile to the icctrans utility or (2) TIFF image to the tiffdiff utility. diff -ur lcms-1.19.dfsg/samples/icctrans.c lcms-1.19.dfsg-patched/samples/icctrans.c --- lcms-1.19.dfsg/samples/icctrans.c 2009-10-30 15:57:45.000000000 +0000 +++ lcms-1.19.dfsg-patched/samples/icctrans.c 2013-08-06 11:53:14.385266647 +0100 @@ -86,6 +86,8 @@ static LPcmsNAMEDCOLORLIST InputColorant = NULL; static LPcmsNAMEDCOLORLIST OutputColorant = NULL; +unsigned int Buffer_size = 4096; + // isatty replacement @@ -500,7 +502,7 @@ Prefix[0] = 0; if (!lTerse) - sprintf(Prefix, "%s=", C); + snprintf(Prefix, 20, "%s=", C); if (InHexa) { @@ -648,7 +650,9 @@ static void GetLine(char* Buffer) { - scanf("%s", Buffer); + char User_buffer[Buffer_size]; + fgets(User_buffer, (Buffer_size - 1), stdin); + sscanf(User_buffer,"%s", Buffer); if (toupper(Buffer[0]) == 'Q') { // Quit? @@ -668,7 +672,7 @@ static double GetAnswer(const char* Prompt, double Range) { - char Buffer[4096]; + char Buffer[Buffer_size]; double val = 0.0; if (Range == 0.0) { // Range 0 means double value @@ -738,7 +742,7 @@ static WORD GetIndex(void) { - char Buffer[4096], Name[40], Prefix[40], Suffix[40]; + char Buffer[Buffer_size], Name[40], Prefix[40], Suffix[40]; int index, max; max = cmsNamedColorCount(hTrans)-1; diff -ur lcms-1.19.dfsg/tifficc/tiffdiff.c lcms-1.19.dfsg-patched/tifficc/tiffdiff.c --- lcms-1.19.dfsg/tifficc/tiffdiff.c 2009-10-30 15:57:46.000000000 +0000 +++ lcms-1.19.dfsg-patched/tifficc/tiffdiff.c 2013-08-06 11:49:06.698951157 +0100 @@ -633,7 +633,7 @@ cmsIT8SetSheetType(hIT8, "TIFFDIFF"); - sprintf(Buffer, "Differences between %s and %s", TiffName1, TiffName2); + snprintf(Buffer, 256, "Differences between %s and %s", TiffName1, TiffName2); cmsIT8SetComment(hIT8, Buffer);