Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:369800
HistoryMay 04, 2016 - 12:00 a.m.

Little CMS 2 DefaultICCintents double-free vulnerability

2016-05-0400:00:00
www.kb.cert.org
13

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.043 Low

EPSS

Percentile

92.4%

JSON

Overview

Little CMS 2 contains a double-free vulnerability in the DefaultICCintents function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Little CMS is an open-source color management engine that supports the International Color Consortium (ICC) standard. Little CMS 2.5 and earlier 2.x versions (liblcms2) contain a double-free vulnerability in the DefaultICCintents() function, which is provided in cmscnvrt.c. When the “LutcmsPipeline object is freed more than once, this can result in an exploitable memory corruption situation.

Although this issue was addressed in 2013, it was not assigned a CVE identifier at that time. Because of this, some vendors may not have upgraded liblcms2 to a version that contains the fix for this vulnerability.

Impact

By causing an application to process a malformed ICC profile, a remote, unauthenticated attacker may be able to cause arbitrary code execution with the privileges of the application that uses the Little CMS library. Exploitability of the vulnerability depends on how the application uses liblcms2 and what capabilities are exposed to an attacker.

Solution

Apply an update

This issue is resolved in Little CMS 2.6. Please check with your vendor for update availability.

Vendor Information

369800

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Arch Linux Affected

Notified: April 29, 2016 Updated: May 03, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CentOS Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

openSUSE project Affected

Notified: April 29, 2016 Updated: May 04, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc. __ Not Affected

Notified: April 29, 2016 Updated: May 02, 2016

Statement Date: May 02, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Arista EOS does not include lcms2, so is not affected

by this vulnerability.

Lenovo __ Not Affected

Notified: May 02, 2016 Updated: May 03, 2016

Statement Date: May 03, 2016

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We do not use lcms2 in any of our products.

Apple Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CoreOS Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeBSD Project Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett Packard Enterprise Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PC-BSD Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Tizen Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: April 29, 2016 Updated: April 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 38 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.4 E:U/RL:OF/RC:C
Environmental 7.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was corrected in 2013 by Marti Maria, and was independently discovered by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2013-7455
Date Public: 2013-07-10 Date First Published:

Related

nessus 1
ubuntucve 1
ibm 1
prion 1
cvelist 1
cloudfoundry 1
openvas 1
ubuntu 1
cve 1
redhatcve 1
nvd 1
debiancve 1
nessus
nessus
Ubuntu 14.04 LTS : Little CMS vulnerability (USN-2961-1)
2016-05-05 00:00:00
ubuntucve
ubuntucve
CVE-2013-7455
2016-05-04 00:00:00
ibm
ibm
Security Bulletin: A vulnerability in lcms affects PowerKVM (CVE-2013-7455)
2018-06-18 01:32:30
prion
prion
Double free
2016-05-07 10:59:00
cvelist
cvelist
CVE-2013-7455
2016-05-07 10:00:00
cloudfoundry
cloudfoundry
USN-2961-1 Little CMS vulnerability | Cloud Foundry
2016-06-13 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-2961-1)
2016-05-05 00:00:00
ubuntu
ubuntu
Little CMS vulnerability
2016-05-04 00:00:00
cve
cve
CVE-2013-7455
2016-05-07 10:59:00
redhatcve
redhatcve
CVE-2013-7455
2016-05-06 07:48:16
nvd
nvd
CVE-2013-7455
2016-05-07 10:59:00
debiancve
debiancve
CVE-2013-7455
2016-05-07 10:59:00

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.043 Low

EPSS

Percentile

92.4%

JSON
Related for VU:369800
nessus1ubuntucve1ibm1prion1cvelist1cloudfoundry1openvas1ubuntu1cve1redhatcve1nvd1debiancve1