Your submission was sent successfully! Close

CVE-2009-0793

Published: 09 April 2009

cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted image that triggers execution of incorrect code for "transformations of monochrome profiles."

Priority

Low

Status

Package Release Status
lcms
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Vendor: https://bugzilla.redhat.com/attachment.cgi?id=337279
openjdk-6
Launchpad, Ubuntu, Debian
Upstream
Released (6b16-1)

Notes

AuthorNote
mdeslaur
as per upstream post to lcms-user:
No code injection can be done using this bug. Using monochrome
profiles is rare, and using  them in the output direction is a
corner case. This bug is only exploitable if the application
uses monochrome output, and then the crafted profile should be
in the output direction. Does not affect input profiles, so an
attacker could NOT use this flaw by creating a specially-crafted
image.

References

Bugs