diff -Nru lcms2-2.5/debian/changelog lcms2-2.5/debian/changelog --- lcms2-2.5/debian/changelog 2016-05-02 19:03:29.000000000 +0000 +++ lcms2-2.5/debian/changelog 2018-09-19 14:46:23.000000000 +0000 @@ -1,3 +1,14 @@ +lcms2 (2.5-0ubuntu4.2) trusty-security; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2016-10165.patch: fix in src/cmstypes.c. + - CVE-2016-10165 + * SECURITY UPDATE: Integer overflow + - debian/patches/CVE-2018-16435.patch: fix in src/cmscgats.c. + - CVE-2018-16435 + + -- Leonidas S. Barbosa Wed, 19 Sep 2018 11:46:00 -0300 + lcms2 (2.5-0ubuntu4.1) trusty-security; urgency=medium * SECURITY UPDATE: double free in DefaultICCintents() diff -Nru lcms2-2.5/debian/patches/CVE-2016-10165.patch lcms2-2.5/debian/patches/CVE-2016-10165.patch --- lcms2-2.5/debian/patches/CVE-2016-10165.patch 1970-01-01 00:00:00.000000000 +0000 +++ lcms2-2.5/debian/patches/CVE-2016-10165.patch 2018-09-19 14:45:39.000000000 +0000 @@ -0,0 +1,22 @@ +From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 +From: Marti +Date: Mon, 15 Aug 2016 23:31:39 +0200 +Subject: [PATCH] Added an extra check to MLU bounds + +Thanks to Ibrahim el-sayed for spotting the bug +--- + src/cmstypes.c | 1 + + 1 file changed, 1 insertion(+) + +Index: lcms2-2.5/src/cmstypes.c +=================================================================== +--- lcms2-2.5.orig/src/cmstypes.c ++++ lcms2-2.5/src/cmstypes.c +@@ -1457,6 +1457,7 @@ void *Type_MLU_Read(struct _cms_typehand + + // Check for overflow + if (Offset < (SizeOfHeader + 8)) goto Error; ++ if ((Offset + Len) > SizeOfTag + 8) goto Error; + + // True begin of the string + BeginOfThisString = Offset - SizeOfHeader - 8; diff -Nru lcms2-2.5/debian/patches/CVE-2018-16435.patch lcms2-2.5/debian/patches/CVE-2018-16435.patch --- lcms2-2.5/debian/patches/CVE-2018-16435.patch 1970-01-01 00:00:00.000000000 +0000 +++ lcms2-2.5/debian/patches/CVE-2018-16435.patch 2018-09-19 14:45:52.000000000 +0000 @@ -0,0 +1,32 @@ +From 768f70ca405cd3159d990e962d54456773bb8cf8 Mon Sep 17 00:00:00 2001 +From: Marti Maria +Date: Wed, 15 Aug 2018 20:07:56 +0200 +Subject: [PATCH] Upgrade Visual studio 2017 15.8 + +- Upgrade to 15.8 +- Add check on CGATS memory allocation (thanks to Quang Nguyen for +pointing out this) +diff --git a/src/cmscgats.c b/src/cmscgats.c +index 53730e9..d4ab2fd 100644 +--- a/src/cmscgats.c ++++ b/src/cmscgats.c +@@ -1500,10 +1500,16 @@ void AllocateDataSet(cmsIT8* it8) + t-> nSamples = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS")); + t-> nPatches = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS")); + +- t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*)); +- if (t->Data == NULL) { ++ if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe) ++ { ++ SynError(it8, "AllocateDataSet: too much data"); ++ } ++ else { ++ t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*)); ++ if (t->Data == NULL) { + +- SynError(it8, "AllocateDataSet: Unable to allocate data array"); ++ SynError(it8, "AllocateDataSet: Unable to allocate data array"); ++ } + } + + } diff -Nru lcms2-2.5/debian/patches/series lcms2-2.5/debian/patches/series --- lcms2-2.5/debian/patches/series 2016-05-02 18:54:26.000000000 +0000 +++ lcms2-2.5/debian/patches/series 2018-09-19 14:45:52.000000000 +0000 @@ -5,3 +5,5 @@ byte-order.patch fix-floating-point-rounding-in-version-numbers.diff CVE-2013-7455.patch +CVE-2016-10165.patch +CVE-2018-16435.patch