lcms: ICC profile version check security fix - CVE-2014-0459

[thoger]

Yesterday, a commit was made to OpenJDK (and the same issue fixed in Oracle JDK via Oracle Critical Patch Update Advisory - April 2014) fixing an issue in embedded lcms.

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d6739b8326a4
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA

Fix adds code that validates profile version.

There are no real details available, CVSS score used in the CPU indicates that lack of the check impacts application availability, possibly causing crash.

This check is currently not part of the Little-CMS git master. I'm unsure if you were notified about this issue by Oracle, or if you may have more details about affected versions (i.e. whether 1.x and 2.x are affected).

[mm2]

Thanks Tomas,
Yes, Oracle guys already notified me. I have fixed it on GIT. Severity is low, as it cannot be used as exploit.
Regards, Marti.

[thoger]

Thank you for the quick response! For posterity, commit is 74ba391.

Can you share any details on the impact or if this is needed for 1.x too?

[mm2]

Probably.. but I don't maintain 1.x anymore, it has more serious security issues that this one. My recommendation is to migrate to 2.6 and avoid problems.