search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Little CMS 2 DefaultICCintents double-free vulnerability

Vulnerability Note VU#369800

Original Release Date: 2016-05-04 | Last Revised: 2016-05-04

Overview

Little CMS 2 contains a double-free vulnerability in the DefaultICCintents function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Little CMS is an open-source color management engine that supports the International Color Consortium (ICC) standard. Little CMS 2.5 and earlier 2.x versions (liblcms2) contain a double-free vulnerability in the DefaultICCintents() function, which is provided in cmscnvrt.c. When the "Lut" cmsPipeline object is freed more than once, this can result in an exploitable memory corruption situation.

Although this issue was addressed in 2013, it was not assigned a CVE identifier at that time. Because of this, some vendors may not have upgraded liblcms2 to a version that contains the fix for this vulnerability.

Impact

By causing an application to process a malformed ICC profile, a remote, unauthenticated attacker may be able to cause arbitrary code execution with the privileges of the application that uses the Little CMS library. Exploitability of the vulnerability depends on how the application uses liblcms2 and what capabilities are exposed to an attacker.

Solution

Apply an update

This issue is resolved in Little CMS 2.6. Please check with your vendor for update availability.

Vendor Information

369800
 
Affected   Unknown   Unaffected

Arch Linux

Notified:  April 29, 2016 Updated:  May 03, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

openSUSE project

Notified:  April 29, 2016 Updated:  May 04, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  April 29, 2016 Updated:  May 02, 2016

Statement Date:   May 02, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Arista EOS does not include lcms2, so is not affected

by this vulnerability.

Lenovo

Notified:  May 02, 2016 Updated:  May 03, 2016

Statement Date:   May 03, 2016

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We do not use lcms2 in any of our products.

Apple

Notified:  April 29, 2016 Updated:  April 29, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    CoreOS

    Notified:  April 29, 2016 Updated:  April 29, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      DesktopBSD

      Notified:  April 29, 2016 Updated:  April 29, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        DragonFly BSD Project

        Notified:  April 29, 2016 Updated:  April 29, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          EMC Corporation

          Notified:  April 29, 2016 Updated:  April 29, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            F5 Networks, Inc.

            Notified:  April 29, 2016 Updated:  April 29, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              FreeBSD Project

              Notified:  April 29, 2016 Updated:  April 29, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Hardened BSD

                Notified:  April 29, 2016 Updated:  April 29, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Hewlett Packard Enterprise

                  Notified:  April 29, 2016 Updated:  April 29, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Hitachi

                    Notified:  April 29, 2016 Updated:  April 29, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      IBM Corporation

                      Notified:  April 29, 2016 Updated:  April 29, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Juniper Networks

                        Notified:  April 29, 2016 Updated:  April 29, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Microsoft Corporation

                          Notified:  April 29, 2016 Updated:  April 29, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            NEC Corporation

                            Notified:  April 29, 2016 Updated:  April 29, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              NetBSD

                              Notified:  April 29, 2016 Updated:  April 29, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Nokia

                                Notified:  April 29, 2016 Updated:  April 29, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  OmniTI

                                  Notified:  April 29, 2016 Updated:  April 29, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Openwall GNU/*/Linux

                                    Notified:  April 29, 2016 Updated:  April 29, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Oracle Corporation

                                      Notified:  April 29, 2016 Updated:  April 29, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        PC-BSD

                                        Notified:  April 29, 2016 Updated:  April 29, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          QNX Software Systems Inc.

                                          Notified:  April 29, 2016 Updated:  April 29, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Sony Corporation

                                            Notified:  April 29, 2016 Updated:  April 29, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Tizen

                                              Notified:  April 29, 2016 Updated:  April 29, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Unisys

                                                Notified:  April 29, 2016 Updated:  April 29, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  m0n0wall

                                                  Notified:  April 29, 2016 Updated:  April 29, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    View all 38 vendors View less vendors


                                                    CVSS Metrics

                                                    Group Score Vector
                                                    Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
                                                    Temporal 7.4 E:U/RL:OF/RC:C
                                                    Environmental 7.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                    References

                                                    Acknowledgements

                                                    This vulnerability was corrected in 2013 by Marti Maria, and was independently discovered by Will Dormann of the CERT/CC.

                                                    This document was written by Will Dormann.

                                                    Other Information

                                                    CVE IDs: CVE-2013-7455
                                                    Date Public: 2013-07-10
                                                    Date First Published: 2016-05-04
                                                    Date Last Updated: 2016-05-04 21:07 UTC
                                                    Document Revision: 15

                                                    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.