CVE-2013-7455
Publication date 4 May 2016
Last updated 24 July 2024
Ubuntu priority
Double free vulnerability in the DefaultICCintents function in cmscnvrt.c in liblcms2 in Little CMS 2.x before 2.6 allows remote attackers to execute arbitrary code via a malformed ICC profile that triggers an error in the default intent handler.
From the Ubuntu Security Team
It was discovered that a double free() could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to specially craft a file that caused an application using the Little CMS library to crash or possibly execute arbitrary code.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ghostscript | 16.04 LTS xenial |
Not affected
|
| 14.04 LTS trusty | Not in release | |
| lcms2 | 16.04 LTS xenial |
Not affected
|
| 14.04 LTS trusty |
Fixed 2.5-0ubuntu4.1
|
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-2961-1
- Little CMS vulnerability
- 4 May 2016