Little CMS ICC Profile Stack Buffer Overflow Vulnerability
BID:24001
Info
Little CMS ICC Profile Stack Buffer Overflow Vulnerability
| Bugtraq ID: | 24001 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-2741 |
| Remote: | Yes |
| Local: | No |
| Published: | May 15 2007 12:00AM |
| Updated: | Mar 19 2015 08:39AM |
| Credit: | Chris Evans is credited with the discovery of this issue. |
| Vulnerable: |
Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 8 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE openSUSE 10.3 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. openSUSE 10.1 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Little CMS Little CMS 1.13 Gentoo Linux |
| Not Vulnerable: |
Little CMS Little CMS 1.15 |
Discussion
Little CMS ICC Profile Stack Buffer Overflow Vulnerability
Little CMS is prone to a remote stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. This issue stems from an error in LCMS when parsing ICC profiles.
Successful exploits may allow attackers to execute arbitrary code with the privileges of the affected library. Failed exploits attempts will likely result in denial-of-service conditions.
Versions prior to Little CMS 1.15 are vulnerable to this issue.
Little CMS is prone to a remote stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. This issue stems from an error in LCMS when parsing ICC profiles.
Successful exploits may allow attackers to execute arbitrary code with the privileges of the affected library. Failed exploits attempts will likely result in denial-of-service conditions.
Versions prior to Little CMS 1.15 are vulnerable to this issue.
Exploit / POC
Little CMS ICC Profile Stack Buffer Overflow Vulnerability
The following proof-of-concept demonstration JPG file is available:
http://scary.beasts.org/misc/badicc4.jpg
The following proof-of-concept demonstration JPG file is available:
http://scary.beasts.org/misc/badicc4.jpg
Solution / Fix
Little CMS ICC Profile Stack Buffer Overflow Vulnerability
Solution:
The vendor released fixes to address this issue. Please see the references for more information.
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
Little CMS Little CMS 1.13
Solution:
The vendor released fixes to address this issue. Please see the references for more information.
Ubuntu Ubuntu Linux 6.06 LTS sparc
-
Ubuntu liblcms-utils_1.13-1ubuntu0.1_sparc.deb
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1 .13-1ubuntu0.1_sparc.deb -
Ubuntu liblcms1-dev_1.13-1ubuntu0.1_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1 ubuntu0.1_sparc.deb -
Ubuntu liblcms1_1.13-1ubuntu0.1_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubun tu0.1_sparc.deb
Ubuntu Ubuntu Linux 6.06 LTS powerpc
-
Ubuntu liblcms-utils_1.13-1ubuntu0.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1 .13-1ubuntu0.1_powerpc.deb -
Ubuntu liblcms1-dev_1.13-1ubuntu0.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1 ubuntu0.1_powerpc.deb -
Ubuntu liblcms1_1.13-1ubuntu0.1_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubun tu0.1_powerpc.deb
Ubuntu Ubuntu Linux 6.06 LTS i386
-
Ubuntu liblcms-utils_1.13-1ubuntu0.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1 .13-1ubuntu0.1_i386.deb -
Ubuntu liblcms1-dev_1.13-1ubuntu0.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1 ubuntu0.1_i386.deb -
Ubuntu liblcms1_1.13-1ubuntu0.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubun tu0.1_i386.deb
Ubuntu Ubuntu Linux 6.06 LTS amd64
-
Ubuntu liblcms-utils_1.13-1ubuntu0.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1 .13-1ubuntu0.1_amd64.deb -
Ubuntu liblcms1-dev_1.13-1ubuntu0.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1 ubuntu0.1_amd64.deb -
Ubuntu liblcms1_1.13-1ubuntu0.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubun tu0.1_amd64.deb
Little CMS Little CMS 1.13
-
Little CMS LCMS Linux lcms-1.16.tar.gz
http://www.littlecms.com/lcms-1.16.tar.gz -
Little CMS LCMS Windows lcms-1.16.zip
http://www.littlecms.com/lcms-1.16.zip
References
Little CMS ICC Profile Stack Buffer Overflow Vulnerability
References:
References:
- Little CMS Homepage (Little CMS)
- CESA-2007-001 - rev 1 (Chris Evans)