Vulnerability Note VU#369800
Little CMS 2 DefaultICCintents double-free vulnerability
Little CMS 2 contains a double-free vulnerability in the DefaultICCintents function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Little CMS is an open-source color management engine that supports the International Color Consortium (ICC) standard. Little CMS 2.5 and earlier 2.x versions (liblcms2) contain a double-free vulnerability in the DefaultICCintents() function, which is provided in cmscnvrt.c. When the "Lut" cmsPipeline object is freed more than once, this can result in an exploitable memory corruption situation.
Although this issue was addressed in 2013, it was not assigned a CVE identifier at that time. Because of this, some vendors may not have upgraded liblcms2 to a version that contains the fix for this vulnerability.
By causing an application to process a malformed ICC profile, a remote, unauthenticated attacker may be able to cause arbitrary code execution with the privileges of the application that uses the Little CMS library. Exploitability of the vulnerability depends on how the application uses liblcms2 and what capabilities are exposed to an attacker.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Arch Linux||Affected||29 Apr 2016||03 May 2016|
|CentOS||Affected||29 Apr 2016||04 May 2016|
|Debian GNU/Linux||Affected||29 Apr 2016||04 May 2016|
|Fedora Project||Affected||29 Apr 2016||04 May 2016|
|Gentoo Linux||Affected||29 Apr 2016||04 May 2016|
|openSUSE project||Affected||29 Apr 2016||04 May 2016|
|Red Hat, Inc.||Affected||29 Apr 2016||04 May 2016|
|Slackware Linux Inc.||Affected||29 Apr 2016||04 May 2016|
|SUSE Linux||Affected||29 Apr 2016||04 May 2016|
|Turbolinux||Affected||29 Apr 2016||04 May 2016|
|Ubuntu||Affected||29 Apr 2016||04 May 2016|
|Arista Networks, Inc.||Not Affected||29 Apr 2016||02 May 2016|
|Lenovo||Not Affected||02 May 2016||03 May 2016|
|Apple||Unknown||29 Apr 2016||29 Apr 2016|
|CoreOS||Unknown||29 Apr 2016||29 Apr 2016|
CVSS Metrics (Learn More)
This vulnerability was corrected in 2013 by Marti Maria, and was independently discovered by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
- CVE IDs: CVE-2013-7455
- Date Public: 10 Jul 2013
- Date First Published: 04 May 2016
- Date Last Updated: 04 May 2016
- Document Revision: 15
If you have feedback, comments, or additional information about this vulnerability, please send us email.