oss-sec mailing list archives

Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE

From: Sam James <sam () gentoo org>
Date: Thu, 30 Apr 2026 05:57:39 +0100

Abhinav Agarwal <abhinavagarwal1996 () gmail com> writes:

A 992-byte PDF crashes a bunch of stock Ubuntu 24.04 consumers:
evince-thumbnailer, Poppler (pdftoppm / pdftocairo / pdfimages),
the cups-filters PDF-to-raster print filter, Okular, and GIMP's
PDF plug-in all segfault inside liblcms2. OpenJDK 21 on Ubuntu
crashes too, and Windows Temurin 21.0.9 crashes in its bundled
lcms.dll (3/3 independent runs). There's also a coarse seed-
correlated heap-read primitive on Linux glibc with ASLR off - a
real CWE-200 channel, though not a generic arbitrary read. Upstream
fixed it on master in February/March but hasn't cut a release, no
advisory, no CVE. The GHSA I filed was closed without a reply.
Looking for a CVE and for distro attention.

[...]

Timeline
--------

  2010-10      CubeSize() check-after-multiply pattern introduced.
  2026-02-19   Fix 1: da6110b.
  2026-03-12   Fix 2: e0641b1.
  2026-04-13   GHSA-4xp6-rcgg-m9qq filed (private advisory).
  2026-04-14   MITRE CVE request filed (CVE Request 2025002).
                Submitted with the evidence that existed at the time.
  2026-04-16   Asked the maintainer on the GHSA whether he'd triage,
               told him I'd publish otherwise.
  2026-04-17   GHSA closed without engagement. Public disclosure


Upstream have amended their policy now [0]:

Please contact me instead. Security advisories are immediatly deleted without checking due to high level of SPAM 
received.


[0] https://github.com/mm2/Little-CMS/commit/5afc7476582b29a2b3f967a1999cf14d60a93943

There have also been two fixes in master that didn't come up here:
* 'A try to get rid of spam reports about "vulnerabilities" that are not
real.' (https://github.com/mm2/Little-CMS/commit/429ea284550f1925d5b1b4b9ef901dfd62031158)

* 'Add guard on integer overflow when reading .cube files' 
(https://github.com/mm2/Little-CMS/commit/704896b7d690a0f31845d9622681058e812e9b53)

I have not analysed either.

[...]

sam

Attachment: signature.asc
Description:

Current thread:

lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal (Apr 17)
- Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal (Apr 18)
  - Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal (Apr 29)
- Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Sam James (Apr 29)