Lucene search

Gentoo FoundationGLSA-201206-04

HistoryJun 18, 2012 - 12:00 a.m.

ArgyllCMS: User-assisted execution of arbitrary code

2012-06-1800:00:00

Gentoo Foundation

security.gentoo.org

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.044 Low

EPSS

Percentile

92.4%

JSON

Background

ArgyllCMS is an ICC compatible color management system that supports accurate ICC profile creation for scanners, cameras and film recorders.

Description

ArgyllCMS does not properly handle ICC profiles causing a use-after-free vulnerability.

Impact

A remote attacker could entice a user to open a specially crafted image file using ArgyllCMS, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All argyllcms users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-gfx/argyllcms-1.4.0"

OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-gfx/argyllcms< 1.4.0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	media-gfx/argyllcms	< 1.4.0	UNKNOWN

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.044 Low

EPSS

Percentile

92.4%

JSON

Related for GLSA-201206-04