CVE-2009-0723

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple integer overflows in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information.

References

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html

http://scary.beasts.org/security/CESA-2009-003.html

http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html

http://secunia.com/advisories/34367

http://secunia.com/advisories/34382

http://secunia.com/advisories/34400

http://secunia.com/advisories/34408

http://secunia.com/advisories/34418

http://secunia.com/advisories/34442

http://secunia.com/advisories/34450

http://secunia.com/advisories/34454

http://secunia.com/advisories/34463

http://secunia.com/advisories/34632

http://secunia.com/advisories/34675

http://secunia.com/advisories/34782

http://security.gentoo.org/glsa/glsa-200904-19.xml

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.487438

http://www.debian.org/security/2009/dsa-1745

http://www.debian.org/security/2009/dsa-1769

http://www.mandriva.com/security/advisories?name=MDVSA-2009:121

http://www.mandriva.com/security/advisories?name=MDVSA-2009:137

http://www.mandriva.com/security/advisories?name=MDVSA-2009:162

http://www.ocert.org/advisories/ocert-2009-003.html

http://www.redhat.com/support/errata/RHSA-2009-0339.html

http://www.securityfocus.com/archive/1/502018/100/0/threaded

http://www.securityfocus.com/archive/1/502031/100/0/threaded

http://www.securityfocus.com/bid/34185

http://www.securitytracker.com/id?1021869

http://www.ubuntu.com/usn/USN-744-1

http://www.vupen.com/english/advisories/2009/0775

https://bugzilla.redhat.com/show_bug.cgi?id=487508

https://exchange.xforce.ibmcloud.com/vulnerabilities/49326

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11780

https://rhn.redhat.com/errata/RHSA-2009-0377.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00794.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00799.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00811.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00851.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00856.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00857.html

https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00921.html

Details

Source: MITRE

Published: 2009-03-23

Updated: 2018-10-10

Type: CWE-189

Risk Information

CVSS v2

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

Tenable Plugins

View all (28 total)

IDNameProductFamilySeverity
67831Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2009-0377)NessusOracle Linux Local Security Checks
critical
67819Oracle Linux 5 : lcms (ELSA-2009-0339)NessusOracle Linux Local Security Checks
high
60550Scientific Linux Security Update : lcms on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
43736CentOS 5 : java-1.6.0-openjdk (CESA-2009:0377)NessusCentOS Local Security Checks
critical
41544SuSE 10 Security Update : liblcms (ZYPP Patch Number 6048)NessusSuSE Local Security Checks
high
41417SuSE 11 Security Update : lcms (SAT Patch Number 635)NessusSuSE Local Security Checks
high
41284SuSE9 Security Update : liblcms (YOU Patch Number 12361)NessusSuSE Local Security Checks
high
40255openSUSE Security Update : lcms (lcms-581)NessusSuSE Local Security Checks
high
40239openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-602)NessusSuSE Local Security Checks
high
40020openSUSE Security Update : lcms (lcms-581)NessusSuSE Local Security Checks
high
40000openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-603)NessusSuSE Local Security Checks
high
39478Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2009:137)NessusMandriva Local Security Checks
critical
38865Mandriva Linux Security Advisory : lcms (MDVSA-2009:121-1)NessusMandriva Local Security Checks
high
38080Fedora 10 : java-1.6.0-openjdk-1.6.0.0-11.b14.fc10 (2009-2982)NessusFedora Local Security Checks
high
37935Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : lcms vulnerabilities (USN-744-1)NessusUbuntu Local Security Checks
high
37136Fedora 10 : lcms-1.18-1.fc10 (2009-2903)NessusFedora Local Security Checks
high
36384Fedora 10 : lcms-1.18-0.1.beta2.fc10 (2009-2970)NessusFedora Local Security Checks
high
36198GLSA-200904-19 : LittleCMS: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
36142Debian DSA-1769-1 : openjdk-6 - several vulnerabilitiesNessusDebian Local Security Checks
critical
36111RHEL 5 : java-1.6.0-openjdk (RHSA-2009:0377)NessusRed Hat Local Security Checks
critical
36025Fedora 9 : java-1.6.0-openjdk-1.6.0.0-0.23.b09.fc9 (2009-3034)NessusFedora Local Security Checks
high
36009Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / 12.1 / 12.2 / current : lcms (SSA:2009-083-01)NessusSlackware Local Security Checks
high
36007openSUSE 10 Security Update : liblcms (liblcms-6049)NessusSuSE Local Security Checks
high
35997Fedora 9 : java-1.6.0-openjdk-1.6.0.0-0.21.b09.fc9 (2009-2983)NessusFedora Local Security Checks
high
35996Fedora 9 : lcms-1.18-1.fc9 (2009-2928)NessusFedora Local Security Checks
high
35994Fedora 9 : lcms-1.18-0.1.beta2.fc9 (2009-2910)NessusFedora Local Security Checks
high
35970RHEL 5 : lcms (RHSA-2009:0339)NessusRed Hat Local Security Checks
high
35967Debian DSA-1745-1 : lcms - several vulnerabilitiesNessusDebian Local Security Checks
high