LibreOffice Segfault in CiccTagArray::Cleanup() via Malicious ICC Profile

Based on the screenshot provided by the user, I have extracted the following key information: 1. Vulnerability Overview: Title: . Description: This is a vulnerability involving a (Segmentation Violation/Segfault/crash). Location: Occurs in the function, specifically in file at line 1511. Trigger Condition: According to the logs in , the crash occurs when processing an ICC Profile (International Color Consortium profile), specifically when calls , attempting to access an invalid pointer ( ), resulting in . 2. Impact Scope: Software: LibreOffice (evident from the URL and the page title). Component: Involves the library for processing ICC Profiles ( library, specifically the and classes). Versions: Although the screenshot does not explicitly list all affected versions, this type of crash vulnerability typically affects LibreOffice versions containing this code path. 3. Remediation: Status: The screenshot shows the status as , with a green label. Fix Author: (mike.kaganski at collabora.com). Fix Date: . Fix Details: Although the screenshot does not directly show the code diff, a comment mentions: "The crash occurs when trying to use the tag array pointer, and if the array pointed has no pointers, they never get initialized." This implies the fix involves checking or initializing uninitialized pointers. 4. POC Code: The screenshot contains a section named , providing a git repository link and specific file path. Link: File: (This is a malicious ICC profile file). While the screenshot does not directly display the complete hexadecimal content of , it provides a link to obtain it. However, the section in the screenshot is actually a reference to a git repository, not a directly pasted code block. Wait, looking closely at the section, it lists the git repository URL and file path, but does not directly paste a code block. But the section shows the crash log after running this POC. Correction: The section in the screenshot is actually a reference to a git repository, not a directly pasted code block. However, the section contains extensive log output. Checking again: Under the heading, there is a git link. Under the heading are the execution results. Conclusion: The page itself does not directly provide a copyable POC code block (such as C code or Python script), only providing a link to the file ( file) that triggers the vulnerability. Therefore, I cannot extract a "code block," but I can extract the link to the POC file and the execution log. Wait, looking again: Under the heading, there is indeed no code block. Only a link. However, in the section, there is extensive logging. Looking closely at the screenshot again: Under the heading, is there a command? No. Only a URL in the format , which appears to be a copy-pasted URL. Actually, the section in the screenshot shows: No, looking closely, the content below is actually the raw content of the git repository or a preview of the file content? No, that's text following the command that looks like hexadecimal or binary data. Let's zoom in on the section. First line: Below is a block of text: or similar hexadecimal data? No, that's command output? Or file content? Looking at the section, that's the runtime log of . Looking at the section, it appears to be the output after executing the command, or a hexadecimal dump of the file content? Looking closely at the text below : This appears to be output from or , or a direct display of file content. However, this is more likely the output of the command, or some display of file content. Let's assume the section shows the content of the file triggering the vulnerability (possibly in hexadecimal). However, for accuracy, I should only extract parts that are clearly code. The section in the screenshot is actually a git link, followed by a block of data that looks like hexadecimal. Let's attempt to extract this data as the POC. Data content: This appears to be the content of the file. However, since the text is too long and difficult to transcribe completely accurately (screenshot resolution limitations), I will focus on the link and description. However, the user requested "complete extraction of code blocks." If the section is considered a code block (even though it's hexadecimal representation of binary data), I should attempt to extract it. Let's look at the section again. It appears to be: This could actually be a command and file content copy-pasted by the user. To be safe, I will extract the link from the section and note that the POC file is located at that link. At the same time, I will extract the key crash information from . Revised Strategy: Vulnerability Overview: SEGv in CiccTagArray::Cleanup(). Impact Scope: LibreOffice (ICC Profile processing). Remediation: Fixed (FIXED), fixed by Mike Kaganski. POC: Provide git link. Regarding POC code block: The section in the screenshot contains a large block of text. The first line is . Below is a block of hexadecimal data. This appears to be output from . Since the text is to

Goal Reached Thanks to every supporter — we hit 100%!

LibreOffice Segfault in CiccTagArray::Cleanup() via Malicious ICC Profile

More from this source