CVE-2013-4160
Published: 22 July 2013
Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to (1) cmsStageAllocLabV2ToV4curves, (2) cmsPipelineDup, (3) cmsAllocProfileSequenceDescription, (4) CurvesAlloc, and (5) cmsnamed.
Notes
Author | Note |
---|---|
jdstrand | OpenJDK issue 8007925 does not affect lcms (code not present) OpenJDK issue 8007926 does not affect lcms (code not present) OpenJDK issue 8007927 does not affect lcms (code not present) OpenJDK issue 8007929 does not affect lcms (code not present) OpenJDK issue 8009654 does not affect lcms (code not present) |
Priority
Status
Package | Release | Status |
---|---|---|
lcms2 Launchpad, Ubuntu, Debian |
upstream |
Released
(2.5)
|
lucid |
Does not exist
|
|
precise |
Released
(2.2+git20110628-2ubuntu3.1)
|
|
quantal |
Released
(2.2+git20110628-2ubuntu4.1)
|
|
raring |
Released
(2.4-0ubuntu3.1)
|
|
lcms Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
lucid |
Not vulnerable
(code-not-present)
|
|
precise |
Not vulnerable
(code-not-present)
|
|
quantal |
Not vulnerable
(code-not-present)
|
|
raring |
Not vulnerable
(code-not-present)
|
|
ghostscript Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
lucid |
Not vulnerable
(code not present)
|
|
precise |
Not vulnerable
(code not present)
|
|
quantal |
Not vulnerable
(code not present)
|
|
raring |
Released
(9.07~dfsg2-0ubuntu3.1)
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4160
- https://github.com/mm2/Little-CMS/commit/91c2db7f2559be504211b283bc3a2c631d6f06d9
- https://bugzilla.novell.com/show_bug.cgi?id=826097#c9
- http://www.openwall.com/lists/oss-security/2013/07/22
- https://ubuntu.com/security/notices/USN-1911-1
- https://ubuntu.com/security/notices/USN-1911-2
- NVD
- Launchpad
- Debian