CVE-2009-0733 — HIGH (9.3) — White Hats Nepal

Q: How severe is CVE-2009-0733?

CVE-2009-0733 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-0733?

Check the references section above for vendor advisories and patch information. Affected products include: Gimp Gimp, Mozilla Firefox, Sun Openjdk, Littlecms Little Cms.

Vulnerability Description

Multiple stack-based buffer overflows in the ReadSetOfCurves function in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attackers to execute arbitrary code via a crafted image file associated with a large integer value for the (1) input or (2) output channel, related to the ReadLUT_A2B and ReadLUT_B2A functions.

CVSS Score

9.3

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Gimp	Gimp	< 2.9.2
Mozilla	Firefox	3.1
Sun	Openjdk	<= 7
Littlecms	Little Cms	<= 1.17

Related Weaknesses (CWE)

CWE-787

References

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.htmlThird Party Advisory
http://scary.beasts.org/security/CESA-2009-003.htmlExploit
http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.htmlExploit
http://secunia.com/advisories/34367Broken Link
http://secunia.com/advisories/34382Broken Link
http://secunia.com/advisories/34400Broken Link
http://secunia.com/advisories/34408Broken Link
http://secunia.com/advisories/34418Broken Link
http://secunia.com/advisories/34442Broken Link
http://secunia.com/advisories/34450Broken Link
http://secunia.com/advisories/34454Broken Link
http://secunia.com/advisories/34463Broken Link
http://secunia.com/advisories/34632Broken Link
http://secunia.com/advisories/34675Broken Link
http://secunia.com/advisories/34782Broken Link

FAQ

What is CVE-2009-0733?

CVE-2009-0733 is a vulnerability with a CVSS score of 9.3 (HIGH). Multiple stack-based buffer overflows in the ReadSetOfCurves function in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allow context-dependent attack...

How severe is CVE-2009-0733?

CVE-2009-0733 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-0733?

Check the references section above for vendor advisories and patch information. Affected products include: Gimp Gimp, Mozilla Firefox, Sun Openjdk, Littlecms Little Cms.