CVE-2013-7455

Priority
Description
Double free vulnerability in the DefaultICCintents function in cmscnvrt.c
in liblcms2 in Little CMS 2.x before 2.6 allows remote attackers to execute
arbitrary code via a malformed ICC profile that triggers an error in the
default intent handler.
Ubuntu-Description
It was discovered that a double free() could occur when the intent
handling code in the Little CMS library detected an error. An
attacker could use this to specially craft a file that caused an
application using the Little CMS library to crash or possibly
execute arbitrary code.
Assigned-to
sbeattie
Notes
jdstrandghostscript 9.07 in Ubuntu 13.04+ uses an embedded copy of lcms2
sbeattieaffects lcms2 2.5 only
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [gs uses system liblcms2])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (gs uses system liblcms2)
Package
Source: lcms2 (LP Ubuntu Debian)
Upstream:released (2.6)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.5-0ubuntu4.1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.5 only)
More Information

Updated: 2020-03-18 22:14:24 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)