1
Candidate: CVE-2009-0793
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0793
5
https://rhn.redhat.com/errata/RHSA-2009-0377.html
7
cmsxform.c in LittleCMS (aka lcms or liblcms) 1.18, as used in OpenJDK and
8
other products, allows remote attackers to cause a denial of service (NULL
9
pointer dereference and application crash) via a crafted image that
10
triggers execution of incorrect code for "transformations of monochrome
14
mdeslaur> as per upstream post to lcms-user:
15
mdeslaur> No code injection can be done using this bug. Using monochrome
16
mdeslaur> profiles is rare, and using them in the output direction is a
17
mdeslaur> corner case. This bug is only exploitable if the application
18
mdeslaur> uses monochrome output, and then the crafted profile should be
19
mdeslaur> in the output direction. Does not affect input profiles, so an
20
mdeslaur> attacker could NOT use this flaw by creating a specially-crafted
23
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=492353
24
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530785
30
vendor: https://bugzilla.redhat.com/attachment.cgi?id=337279
31
upstream_lcms: needs-triage
32
dapper_lcms: ignored (reached end-of-life)
33
gutsy_lcms: needs-triage (reached end-of-life)
34
hardy_lcms: released (1.16-7ubuntu1.3)
35
intrepid_lcms: ignored (reached end-of-life)
36
jaunty_lcms: ignored (reached end-of-life)
37
karmic_lcms: released (1.18.dfsg-1ubuntu1.1)
38
lucid_lcms: released (1.18.dfsg-1ubuntu2.10.04.1)
39
maverick_lcms: released (1.18.dfsg-1ubuntu2.10.10.1)
40
devel_lcms: released (1.18.dfsg-1.2ubuntu1)
43
upstream_openjdk-6: released (6b16-1)
46
hardy_openjdk-6: released (6b18-1.8.2-4ubuntu1~8.04.1)
47
intrepid_openjdk-6: ignored (reached end-of-life)
48
jaunty_openjdk-6: ignored (reached end-of-life)
49
karmic_openjdk-6: not-affected (6b16-1.6.1-0ubuntu1)
50
lucid_openjdk-6: not-affected (6b16-1.6.1-0ubuntu1)
51
maverick_openjdk-6: not-affected (6b16-1.6.1-0ubuntu1)
52
devel_openjdk-6: not-affected (6b16-1.6.1-0ubuntu1)