Little CMS 2 DefaultICCintents double-free vulnerability
Original Release date: 04 May 2016 | Last revised: 04 May 2016

Overview
Little CMS 2 contains a double-free vulnerability in the DefaultICCintents function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description
Little CMS is an open-source color management engine that supports the International Color Consortium (ICC) standard. Little CMS 2.5 and earlier 2.x versions (liblcms2) contain a double-free vulnerability in the DefaultICCintents() function, which is provided in cmscnvrt.c. When the “Lut” cmsPipeline object is freed more than once, this can result in an exploitable memory corruption situation.
Although this issue was addressed in 2013, it was not assigned a CVE identifier at that time.

Because of this, some vendors may not have upgraded liblcms2 to a version that contains the fix for this vulnerability.
Impact
By causing an application to process a malformed ICC profile, a remote, unauthenticated attacker may be able to cause arbitrary code execution with the privileges of the application that uses the Little CMS library.

Exploitability of the vulnerability depends on how the application uses liblcms2 and what capabilities are exposed to an attacker.
Solution
Apply an updateThis issue is resolved in Little CMS 2.6. Please check with your vendor for update availability.
Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedArch LinuxAffected29 Apr 201603 May 2016CentOSAffected29 Apr 201604 May 2016Debian GNU/LinuxAffected29 Apr 201604 May 2016Fedora ProjectAffected29 Apr 201604 May 2016Gentoo LinuxAffected29 Apr 201604 May 2016openSUSE projectAffected29 Apr 201604 May 2016Red Hat, Inc.Affected29 Apr 201604 May 2016Slackware Linux Inc.Affected29 Apr 201604 May 2016SUSE LinuxAffected29 Apr 201604 May 2016TurbolinuxAffected29 Apr 201604 May 2016UbuntuAffected29 Apr 201604 May 2016Arista Networks, Inc.Not Affected29 Apr 201602 May 2016LenovoNot Affected02 May 201603 May 2016AppleUnknown29 Apr 201629 Apr 2016CoreOSUnknown29 Apr 201629 Apr 2016If you are a vendor and your product is affected, let
us know.View More &raquoCVSS Metrics (Learn More)

Group
Score
Vector
Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal
7.4
E:U/RL:OF/RC:C
Environmental
7.4
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was corrected in 2013 by Marti Maria, and was independently discovered by Will Dormann of the CERT/CC.
This document was written by Will Dormann.

Other Information

CVE IDs:
CVE-2013-7455

Date Public:
10 Jul 2013

Date First Published:
04 May 2016

Date Last Updated:
04 May 2016

Document Revision:
15

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.