CVE-2013-7455
critical
CVSS v3
9.8
CVSS v2
10.0
VIR risk
9.8
Description
Double free vulnerability in the DefaultICCintents function in cmscnvrt.c in liblcms2 in Little CMS 2.x before 2.6 allows remote attackers to execute arbitrary code via a malformed ICC profile that triggers an error in the default intent handler.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-7455
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2013-7455.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 2.6-1 |
| debian | bullseye | fixed | 2.6-1 |
| debian | forky | fixed | 2.6-1 |
| debian | sid | fixed | 2.6-1 |
| debian | trixie | fixed | 2.6-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| littlecms | little_cms_color_engine | 2.0 | |
| littlecms | little_cms_color_engine | 2.1 | |
| littlecms | little_cms_color_engine | 2.2 | |
| littlecms | little_cms_color_engine | 2.3 | |
| littlecms | little_cms_color_engine | 2.4 | |
| littlecms | little_cms_color_engine | 2.5 | |
References
Verify integrity in audit chain (admin only). AS-IS.