Abhinav Agarwal <[email protected]> writes: > A 992-byte PDF crashes a bunch of stock Ubuntu 24.04 consumers: > evince-thumbnailer, Poppler (pdftoppm / pdftocairo / pdfimages), > the cups-filters PDF-to-raster print filter, Okular, and GIMP's > PDF plug-in all segfault inside liblcms2. OpenJDK 21 on Ubuntu > crashes too, and Windows Temurin 21.0.9 crashes in its bundled > lcms.dll (3/3 independent runs). There's also a coarse seed- > correlated heap-read primitive on Linux glibc with ASLR off - a > real CWE-200 channel, though not a generic arbitrary read. Upstream > fixed it on master in February/March but hasn't cut a release, no > advisory, no CVE. The GHSA I filed was closed without a reply. > Looking for a CVE and for distro attention. > > [...] > > Timeline > -------- > > 2010-10 CubeSize() check-after-multiply pattern introduced. > 2026-02-19 Fix 1: da6110b. > 2026-03-12 Fix 2: e0641b1. > 2026-04-13 GHSA-4xp6-rcgg-m9qq filed (private advisory). > 2026-04-14 MITRE CVE request filed (CVE Request 2025002). > Submitted with the evidence that existed at the time. > 2026-04-16 Asked the maintainer on the GHSA whether he'd triage, > told him I'd publish otherwise. > 2026-04-17 GHSA closed without engagement. Public disclosure
Upstream have amended their policy now [0]: > Please contact me instead. Security advisories are immediatly deleted without > checking due to high level of SPAM received. [0] https://github.com/mm2/Little-CMS/commit/5afc7476582b29a2b3f967a1999cf14d60a93943 There have also been two fixes in master that didn't come up here: * 'A try to get rid of spam reports about "vulnerabilities" that are not real.' (https://github.com/mm2/Little-CMS/commit/429ea284550f1925d5b1b4b9ef901dfd62031158) * 'Add guard on integer overflow when reading .cube files' (https://github.com/mm2/Little-CMS/commit/704896b7d690a0f31845d9622681058e812e9b53) I have not analysed either. > [...] sam
signature.asc
Description: PGP signature
