Your submission was sent successfully! Close

CVE-2013-7455

Published: 04 May 2016

Double free vulnerability in the DefaultICCintents function in cmscnvrt.c in liblcms2 in Little CMS 2.x before 2.6 allows remote attackers to execute arbitrary code via a malformed ICC profile that triggers an error in the default intent handler.

From the Ubuntu security team

It was discovered that a double free() could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to specially craft a file that caused an application using the Little CMS library to crash or possibly execute arbitrary code.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
ghostscript
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(gs uses system liblcms2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [gs uses system liblcms2])
lcms2
Launchpad, Ubuntu, Debian
Upstream
Released (2.6)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.5 only)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.5-0ubuntu4.1)