CVE-2016-10165 in Ubuntu

CVE-2016-10165

Priority

Description

The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows
remote attackers to obtain sensitive information or cause a denial of
service via an image with a crafted ICC profile, which triggers an
out-of-bounds heap read.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165
http://www.openwall.com/lists/oss-security/2016/08/15/9
http://www.openwall.com/lists/oss-security/2017/01/25/14
https://ubuntu.com/security/notices/USN-3770-1
https://ubuntu.com/security/notices/USN-3770-2

Bugs

https://bugzilla.redhat.com/show_bug.cgi?id=1367357
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852627
https://bugs.launchpad.net/bugs/1679989

Notes

sbeattie

openjdk-7 as of 7u111-2.6.7 uses embedded copy of lcms2 (see
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1896)

Package

Source: lcms2 (LP Ubuntu Debian)

Upstream:	released (2.8-4)
Ubuntu 18.04 LTS:	released (2.8-4)
Ubuntu 16.04 ESM:	released (2.6-3ubuntu2.1)
Ubuntu 14.04 ESM:	released (2.5-0ubuntu4.2)

Patches:

Upstream:

https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2

Package

Source: openjdk-7 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was released [7u121-2.6.8-1ubuntu0.14.04.1])

Patches:

Package

Source: openjdk-8 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (uses system lcms)
Ubuntu 16.04 ESM:	not-affected (uses system lcms)
Ubuntu 14.04 ESM:	DNE

Patches:

More Information

Updated: 2022-04-13 12:10:35 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)