[argyllcms] Re: Security problems in Argyll's icclib

  • From: Tommaso Schiavinotto <mynos_main@xxxxxxxx>
  • To: argyllcms@xxxxxxxxxxxxx
  • Date: Sat, 4 Apr 2009 08:30:53 +0000 (GMT)

Hi Graeme,

Just check that it is not the same patch for which Boudewijn Rempt of Krita is 
complaining here:
http://www.valdyas.org/fading/index.cgi/2009/04/03

Regards,
--Tommaso




________________________________
Da: Graeme Gill <graeme@xxxxxxxxxxxxx>
A: argyllcms@xxxxxxxxxxxxx
Inviato: Sabato 4 aprile 2009, 1:33:00
Oggetto: [argyllcms] Re: Security problems in Argyll's icclib

Roland Mas wrote:
>   Graeme, I'd like your opinion on this patch.  It didn't apply cleanly

Well, I find it interesting that whoever originally
noticed problems, didn't bother to contact me first, all they
seemed interested in was their Linux distro. (I'm coming to the
conclusion this is pretty typical behavior, judging from similar
responses to patches to xli. Courtesy in regard to upstream seems
to be completely lacking, never mind concern about any other users
of the library).

The general issue addressed is probably fair enough, and was one
motivating factor in attempting to develop icclib4, the (still
unfinished, unreleased) ICCV4 version of icclib that has been
written with security against crafted files particularly in mind.
One of the things I realized in writing it, was that although in icclib
I had attempted to guard against wrong lengths and malloc failures,
I hadn't understood the implications of integer overflow.
The icclib4 approach is rather more robust than the patches
against the current icclib, never the less, I'll attempt to
audit the changes and update the code. (I note that
Marti Maria has had an issue with someone contributing
"security" fixes to lcms that turned out to be undesirable.)

Thanks for bringing it to my attention.

Graeme Gill.


      

Other related posts: