Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-133: Little CMS Monochrome Profiles Null Pointer Dereference Denial of Service Vulnerability

[CVE-2009-0793]

May 12, 2009 18:00 GMT
PROBLEM: Little CMS is prone to a remote denial-of-service vulnerability.
PLATFORM: RedHat Fedora 9 0 RedHat Fedora 10 RedHat Enterprise Linux Desktop 5 client RedHat Enterprise Linux 5 server Pardus Linux 2008 0 OpenJDK OpenJDK 1.6 Little CMS Little CMS 1.18 Little CMS Little CMS 1.17 Little CMS Little CMS 1.16 Little CMS Little CMS 1.15 Little CMS Little CMS 1.14 Little CMS Little CMS 1.13 Little CMS Little CMS 1.12 Little CMS Little CMS 1.11 Little CMS Little CMS 1.10 Little CMS Little CMS 1.09 Little CMS Little CMS 1.08 Little CMS Little CMS 1.07 Gentoo Linux Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0
ABSTRACT: Little CMS is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue by tricking a victim into opening a specially crafted image file. Attackers can use readily available tools to create malicious files designed to leverage this issue. Successful attacks will cause the application using the affected engine to crash.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-133.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/34411/info
Little CMS Project Page
http://sourceforge.net/projects/lcms/
Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=492353
IMPACT ASSESSSMENT: This risk is low. Successful attacks will cause the application using the affected engine to crash. 
[***** Start CVE-2009-0793 *****]
Problem:
Little CMS is prone to a remote denial-of-service vulnerability.

Platforms:
RedHat Fedora 9 0
RedHat Fedora 10
RedHat Enterprise Linux Desktop 5 client
RedHat Enterprise Linux 5 server
Pardus Linux 2008 0
OpenJDK OpenJDK 1.6
Little CMS Little CMS 1.18
Little CMS Little CMS 1.17
Little CMS Little CMS 1.16
Little CMS Little CMS 1.15
Little CMS Little CMS 1.14
Little CMS Little CMS 1.13
Little CMS Little CMS 1.12
Little CMS Little CMS 1.11
Little CMS Little CMS 1.10
Little CMS Little CMS 1.09
Little CMS Little CMS 1.08
Little CMS Little CMS 1.07
Gentoo Linux
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0

Abstract:
Little CMS is prone to a remote denial-of-service vulnerability.  Attackers can exploit this issue by tricking a victim into
opening a specially crafted image file. Attackers can use readily available tools to create malicious files designed to
leverage this issue.  Successful attacks will cause the application using the affected engine to crash.

References:
Security Focus
http://www.securityfocus.com/bid/34411/info
Little CMS Project
http://sourceforge.net/projects/lcms/
Red Hat
https://bugzilla.redhat.com/show_bug.cgi?id=492353
[***** End CVE-2009-0793 *****]
DOE-CIRC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788