openjdk team mailing list archive

Thread
Date
[Bug 700198] Re: CVE-2009-0793

To: openjdk@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <700198@xxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Apr 2011 19:07:03 -0000
Reply-to: Bug 700198 <700198@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package ia32-libs - 2.7ubuntu17.1

---------------
ia32-libs (2.7ubuntu17.1) karmic-security; urgency=low

  * SECURITY UPDATE: Refresh packages to pull in security fixes,
    including:
    - lcms: buffer overflow, CVE-2009-0793 (LP: #700198)
    - openssl: multiple issues, including CVE-2009-3555, CVE-2009-3245,
      and CVE-2010-2939
    - libpango1.0: multiple DoS, possible code execution issues:
      CVE-2010-0421, CVE-2011-0020, CVE-2011-0064
    - libfreetype: multiple DoS, possible code execution issues:
      CVE-2010-3311, CVE-2010-3814, CVE-2010-3855, CVE-2010-1797,
      CVE-2010-2541, CVE-2010-2805, CVE-2010-2806, CVE-2010-2807,
      CVE-2010-2808, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500,
      CVE-2010-2519, CVE-2010-2520, CVE-2010-2527
    - nss: many issues
 -- Steve Beattie <sbeattie@xxxxxxxxxx>   Tue, 12 Apr 2011 02:08:26 -0700

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/700198

Title:
  CVE-2009-0793

Status in “gimp” package in Ubuntu:
  Invalid
Status in “ia32-libs” package in Ubuntu:
  Fix Released
Status in “lcms” package in Ubuntu:
  Fix Released
Status in “openjdk-6” package in Ubuntu:
  Fix Released
Status in “openjdk-6b18” package in Ubuntu:
  Fix Released
Status in “gimp” source package in Lucid:
  Invalid
Status in “ia32-libs” source package in Lucid:
  Fix Released
Status in “lcms” source package in Lucid:
  Fix Released
Status in “openjdk-6” source package in Lucid:
  Fix Released
Status in “openjdk-6b18” source package in Lucid:
  Fix Released
Status in “gimp” source package in Maverick:
  Invalid
Status in “ia32-libs” source package in Maverick:
  Fix Released
Status in “lcms” source package in Maverick:
  Fix Released
Status in “openjdk-6” source package in Maverick:
  Fix Released
Status in “openjdk-6b18” source package in Maverick:
  Fix Released
Status in “gimp” source package in Natty:
  Invalid
Status in “ia32-libs” source package in Natty:
  Fix Released
Status in “lcms” source package in Natty:
  Fix Released
Status in “openjdk-6” source package in Natty:
  Fix Released
Status in “openjdk-6b18” source package in Natty:
  Fix Released
Status in “gimp” source package in Hardy:
  Invalid
Status in “ia32-libs” source package in Hardy:
  Fix Released
Status in “lcms” source package in Hardy:
  Fix Released
Status in “openjdk-6” source package in Hardy:
  Fix Released
Status in “openjdk-6b18” source package in Hardy:
  Invalid
Status in “gimp” source package in Karmic:
  Invalid
Status in “ia32-libs” source package in Karmic:
  Fix Released
Status in “lcms” source package in Karmic:
  Fix Released
Status in “openjdk-6” source package in Karmic:
  Fix Released
Status in “openjdk-6b18” source package in Karmic:
  Invalid

Bug description:
  Description
  cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and
  other products, allows remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via a crafted image that
  triggers execution of incorrect code for "transformations of monochrome
  profiles."