CVE-2008-5317 — Lcms vulnerability

CWE-1897 documents6 sources

Severity

10.0CRITICALNVD

EPSS

0.9%

top 23.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Littlecms Lcms Littlecms Little CMS Color Engine

Timeline

PublishedDec 3

Latest updateMay 14

Description

Integer signedness error in the cmsAllocGamma function in src/cmsgamma.c in Little cms color engine (aka lcms) before 1.17 allows attackers to have an unknown impact via a file containing a certain "number of entries" value, which is interpreted improperly, leading to an allocation of insufficient memory.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

▶NVDlittlecms/little_cms_color_engine1.16+9

▶NVDlittlecms/lcms1.16+9

Patches

Patch: lcms.cvs.sourceforge.net ↗Patch: lcms.cvs.sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-6399-c226-99jr: Integer signedness error in the cmsAllocGamma function in src/cmsgamma↗2022-05-14

▶

CVEList

CVE-2008-5317: Integer signedness error in the cmsAllocGamma function in src/cmsgamma↗2008-12-03

▶

📋Vendor Advisories

Ubuntu

LittleCMS vulnerability↗2008-12-17

▶

Ubuntu

LittleCMS vulnerability↗2008-10-14

▶

Red Hat

lcms: unsigned -> signed integer cast issue in cmsAllocGamma↗2007-11-22

▶

💬Community

Bugzilla

CVE-2008-5317 lcms: unsigned -> signed integer cast issue in cmsAllocGamma↗2008-11-28

▶