Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#36783 - [lcms] Patch for CVE-2013-4276 in lcms
Attached to Project:
Arch Linux
Opened by RbN (RbN) - Tuesday, 03 September 2013, 16:57 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Friday, 06 September 2013, 07:12 GMT
Opened by RbN (RbN) - Tuesday, 03 September 2013, 16:57 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Friday, 06 September 2013, 07:12 GMT
|
Detailslcms is not supported anymore by upstream.
Anyway, it is still used by some other softwares and in the repositories. There is a vulnerability with a possibility of some exploitable buffer overflows. A patch can be found here : https://bugzilla.redhat.com/attachment.cgi?id=783274 The original bug report in Debian Buzilla is : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718682 An the thread in oss-sec with the CVE attribution : http://www.openwall.com/lists/oss-security/2013/08/05/2 I compiled lcms with this patch and everything goes fine, I also test quickly each binaries provided by lcms. |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Friday, 06 September 2013, 07:12 GMT
Reason for closing: Fixed
Additional comments about closing: lcms 1.19-4
Friday, 06 September 2013, 07:12 GMT
Reason for closing: Fixed
Additional comments about closing: lcms 1.19-4