Your submission was sent successfully! Close


Published: 04 May 2016

Double free vulnerability in the DefaultICCintents function in cmscnvrt.c in liblcms2 in Little CMS 2.x before 2.6 allows remote attackers to execute arbitrary code via a malformed ICC profile that triggers an error in the default intent handler.

From the Ubuntu security team

It was discovered that a double free() could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to specially craft a file that caused an application using the Little CMS library to crash or possibly execute arbitrary code.



CVSS 3 base score: 9.8


Package Release Status
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(gs uses system liblcms2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [gs uses system liblcms2])
Launchpad, Ubuntu, Debian
Released (2.6)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.5 only)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.5-0ubuntu4.1)