Debian Security Advisory

DSA-1684-1 lcms -- multiple vulnerabilities

Date Reported:
10 Dec 2008
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2008-5316, CVE-2008-5317.
More information:

Two vulnerabilities have been found in lcms, a library and set of commandline utilities for image color management. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2008-5316

    Inadequate enforcement of fixed-length buffer limits allows an attacker to overflow a buffer on the stack, potentially enabling the execution of arbitrary code when a maliciously-crafted image is opened.

  • CVS-2008-5317

    An integer sign error in reading image gamma data could allow an attacker to cause an under-sized buffer to be allocated for subsequent image data, with unknown consequences potentially including the execution of arbitrary code if a maliciously-crafted image is opened.

For the stable distribution (etch), these problems have been fixed in version 1.15-1.1+etch1.

For the upcoming stable distribution (lenny), and the unstable distribution (sid), these problems are fixed in version 1.17.dfsg-1.

We recommend that you upgrade your lcms packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.