Uočen je i ispravljen sigurnosni nedostatak programskog paketa argyllcms kojeg napadači mogu iskoristiti za proizvoljno izvršavanje programskog koda s povećanim privilegijama.
Paket:
argyllcms 1.x
Operacijski sustavi:
Fedora 16
Kritičnost:
4.4
Problem:
neodgovarajuće rukovanje memorijom, pogreška u programskoj komponenti
Iskorištavanje:
lokalno
Posljedica:
dobivanje većih privilegija, proizvoljno izvršavanje programskog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-1616
Izvorni ID preporuke:
FEDORA-2012-6529
Izvor:
Fedora
Problem:
Uočeno je da programska komponenta "icclib" na neodgovarajući način rukuje memorijom.
Posljedica:
Zlonamjerni napadač može iskoristiti navedeni nedostatak za proizvoljno izvršavanje programskog koda s privilegijama korisnika koji je pokrenuo program.
Rješenje:
Korisnici se upućuju na primjenu službenih programskih rješenja.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-6529
2012-04-24 14:11:34
--------------------------------------------------------------------------------
Name : argyllcms
Product : Fedora 16
Version : 1.4.0
Release : 1.fc16
URL : http://gitorious.org/hargyllcms
Summary : ICC compatible color management system
Description :
The Argyll color management system supports accurate ICC profile creation for
acquisition devices, CMYK printers, film recorders and calibration and profiling
of displays.
Spectral sample data is supported, allowing a selection of illuminants observer
types, and paper fluorescent whitener additive compensation. Profiles can also
incorporate source specific gamut mappings for perceptual and saturation
intents. Gamut mapping and profile linking uses the CIECAM02 appearance model,
a unique gamut mapping algorithm, and a wide selection of rendering intents. It
also includes code for the fastest portable 8 bit raster color conversion
engine available anywhere, as well as support for fast, fully accurate 16 bit
conversion. Device color gamuts can also be viewed and compared using a VRML
viewer.
--------------------------------------------------------------------------------
Update Information:
- Update to latest upstream release
- A colorimeter can now be used as a reference to make ccmx files
- Added dither/screening support for 8 bit output of render
- Added JPEG file support to cctiff, tiffgamut and extracticc
- Fixed double free in icc/icc.c for profiles that have duplicate tags
- Fix bugs in ColorMunki Transmissive measurement mode calibration.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Apr 20 2012 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.4.0-1
- Update to latest upstream release
- A colorimeter can now be used as a reference to make ccmx files
- Added dither/screening support for 8 bit output of render
- Added JPEG file support to cctiff, tiffgamut and extracticc
- Fixed double free in icc/icc.c for profiles that have duplicate tags
- Fix bugs in ColorMunki Transmissive measurement mode calibration.
* Mon Mar 19 2012 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.7-1
- Update to 1.3.7
- Fix regression in Spyder support - ccmx files were not being handled
* Mon Mar 19 2012 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.6-1
- Update to 1.3.6
- Add a -V option to spotread to allow tracking reading consistency.
- Add ColorHug support upstream (so distro patch removed).
- Add Spyder4 support.
- Add support for NEC SpectraSensor Pro version of the i1d3.
- Changed and expanded display selection to be instrument specific.
* Tue Feb 7 2012 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.5-7
- Ship a shared library to reduce the installed package size from
27.7Mb to 3.2Mb by removing 46 instances of static linking.
* Wed Jan 25 2012 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.5-6
- Fix the ColorHug patch to not time out with firmware >= 1.1.1
* Fri Jan 20 2012 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.5-5
- Fix the ColorHug patch to correctly report negative numbers.
* Sun Dec 11 2011 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.5-4
- Build and install ccxxmake, iccdump and icclu.
* Fri Dec 2 2011 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.5-3
- Add an experimental ColorHug sensor driver.
* Thu Dec 1 2011 Richard Hughes <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.3.5-1
- Update to 1.3.5
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #809697 - CVE-2012-1616 icclib: Use-after-free via crafted ICC
profile files
https://bugzilla.redhat.com/show_bug.cgi?id=809697
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update argyllcms' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke