Bug#728208: liblcms1: CVE-2013-4160 - lcms can be made to crash

[Tobias Frost]

Package: liblcms1
Tags: +patch
Followup-For: Bug #728208

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I analyzed the bugfix [1] upstream applied to fix this CVE in lcms-2, and 
backported
the fix.
The code diverged very much and some of the issues are not in lcms1, therefore 
the
is the patch very brief...

Patch attached.

[1] 
https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9#diff-71ceac61c5cd61ded00fd656b179a061R1178


(PS: I'm preparing a NMU with this patch) 

- -- 
Tobias

- -- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTNAN5AAoJEJFk+h0XvV02/A4QAML7a5MrfQ4m1O65HxKmXRZl
94JS8lPALa+HEGHFkET5lDE+rYZdlq6mrgtVrqo9063P5uvf+lxMHek+55c94OG0
D/bLIC7G8LBOiM1suDHtddc0R91xumKgifRm4JiculI20N3sb3azkhCS8IWlP78R
M+LEaqobwYz+rIBqgzJnbBKH2F3enoqDyybbCqZdRMzVdnwuv8AnooV39UFzIaGE
n8k50h4GakgpnIJ1dKowH3L711mhXJm+K+Ze9ypMzEyd7Lh3L9ZfLRLzw184adPk
OJ4Py8CY7I+3ext2tNMk/laAFDXK5wh6doX5QCuKIPO2YJ0iZcBj8ZRdyQtK7Ncy
VNnW8UuYX5NlxQEkip6Q3ImlaxMID7HTfKqUG7Zx2lWwiudhLopzfKZQQJJxEOH1
4eLMb3/k+yQYIegwXF72v2xLo99GzplGJEofKPLOJTdIfM8PuwrdxDi3tUdtOuiY
OOuPWYVu5Bibn6g2qZlm8sj8c4Dx9TRI411CAXWBlFe5nP6Dfi2JaucVqa3nR8rH
o9SWqrlBBv+nHLD1UscG6F6c57vieuJayocOCiO9ZzYabLMUEA9weLsIkE+RySpB
752pFzqnNfJubMPMS5753Hr6+kP3cMe8v87XRlAkeAcTw9aQrN1I5PxsNOxExFqx
6M+nD5YcF1ns9loOXqq/
=ggGP
-----END PGP SIGNATURE-----

diff -Naur lcms-1.19.dfsg/src/cmsio1.c backup2/src/cmsio1.c
--- lcms-1.19.dfsg/src/cmsio1.c	2014-03-27 09:09:17.997870264 +0100
+++ backup2/src/cmsio1.c	2009-11-13 10:02:11.000000000 +0100
@@ -2007,9 +2007,9 @@
                           return 0;
                 }
 
-                strncpy(v ->NamedColorList->Prefix, (const char*) nc2.prefix, 31);
-                strncpy(v ->NamedColorList->Suffix, (const char*) nc2.suffix, 31);
-                v ->NamedColorList->Prefix[31] = v->NamedColorList->Suffix[31] = 0;
+                strncpy(v ->NamedColorList->Prefix, (const char*) nc2.prefix, 32);
+                strncpy(v ->NamedColorList->Suffix, (const char*) nc2.suffix, 32);
+                v ->NamedColorList->Prefix[32] = v->NamedColorList->Suffix[32] = 0;
                 
                 v ->NamedColorList ->ColorantCount = nc2.nDeviceCoords;