CVE-2016-10165: heap OOB read parsing crafted ICC profile

Bug #1679989 reported by Amr Ibrahim
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lcms2 (Debian)
Fix Released
Unknown
lcms2 (Ubuntu)
Confirmed
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Trusty
Confirmed
Low
Unassigned
Xenial
Confirmed
Low
Unassigned
Zesty
Confirmed
Low
Unassigned
Artful
Confirmed
Low
Unassigned

Bug Description

The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read.

CVE References

information type: Private Security → Public Security
Changed in lcms2 (Debian):
status: Unknown → Fix Released
Changed in lcms2 (Ubuntu Precise):
status: New → Confirmed
Changed in lcms2 (Ubuntu Trusty):
status: New → Confirmed
Changed in lcms2 (Ubuntu Xenial):
status: New → Confirmed
Changed in lcms2 (Ubuntu Yakkety):
status: New → Confirmed
Changed in lcms2 (Ubuntu Zesty):
status: New → Confirmed
Changed in lcms2 (Ubuntu Artful):
status: New → Confirmed
Changed in lcms2 (Ubuntu Precise):
importance: Undecided → Low
Changed in lcms2 (Ubuntu Trusty):
importance: Undecided → Low
Changed in lcms2 (Ubuntu Xenial):
importance: Undecided → Low
Changed in lcms2 (Ubuntu Yakkety):
importance: Undecided → Low
Changed in lcms2 (Ubuntu Zesty):
importance: Undecided → Low
Changed in lcms2 (Ubuntu Artful):
importance: Undecided → Low
Jeremy Bícha (jbicha)
no longer affects: lcms2 (Ubuntu Yakkety)
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in lcms2 (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.