CVE-2009-0581

LittleCms memory leak

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Memory leak in LittleCMS (aka lcms or liblcms) before 1.18beta2, as used in Firefox 3.1beta, OpenJDK, and GIMP, allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted image file.

Fuga de memoria en versiones de LittleCMS (alias LCMS o liblcms) anteriores a la 1.18beta2, tal como se utiliza en Firefox 3.1beta, OpenJDK, y el GIMP, permite causar, a atacantes dependientes de contexto, una denegación de servicio (mediante consumo de memoria y caida de la aplicación) a través de un archivo de imagen debidamente modificado.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-02-13 CVE Reserved
2009-03-23 CVE Published
2023-05-11 EPSS Updated
2024-08-07 CVE Updated
2024-08-07 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (42)

URL	Tag	Source
http://secunia.com/advisories/34367	Broken Link
http://secunia.com/advisories/34382	Broken Link
http://secunia.com/advisories/34400	Broken Link
http://secunia.com/advisories/34408	Broken Link
http://secunia.com/advisories/34418	Broken Link
http://secunia.com/advisories/34442	Broken Link
http://secunia.com/advisories/34450	Broken Link
http://secunia.com/advisories/34454	Broken Link
http://secunia.com/advisories/34463	Broken Link
http://secunia.com/advisories/34632	Broken Link
http://secunia.com/advisories/34675	Broken Link
http://secunia.com/advisories/34782	Broken Link
http://www.ocert.org/advisories/ocert-2009-003.html	Third Party Advisory
http://www.securityfocus.com/archive/1/502018/100/0/threaded	Broken Link
http://www.securityfocus.com/archive/1/502031/100/0/threaded	Broken Link
http://www.securitytracker.com/id?1021870	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/49328	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10023	Signature

URL	Date	SRC
http://scary.beasts.org/security/CESA-2009-003.html	2024-08-07
http://scarybeastsecurity.blogspot.com/2009/03/littlecms-vulnerabilities.html	2024-08-07

URL	Date	SRC
http://www.securityfocus.com/bid/34185	2023-02-13
http://www.vupen.com/english/advisories/2009/0775	2023-02-13

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html	2023-02-13
http://security.gentoo.org/glsa/glsa-200904-19.xml	2023-02-13
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.487438	2023-02-13
http://www.debian.org/security/2009/dsa-1745	2023-02-13
http://www.debian.org/security/2009/dsa-1769	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:121	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:137	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:162	2023-02-13
http://www.redhat.com/support/errata/RHSA-2009-0339.html	2023-02-13
http://www.ubuntu.com/usn/USN-744-1	2023-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=487509	2009-04-07
https://rhn.redhat.com/errata/RHSA-2009-0377.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00794.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00799.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00811.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00851.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00856.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00857.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00921.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2009-0581	2009-04-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Littlecms Search vendor "Littlecms"		Little Cms Search vendor "Littlecms" for product "Little Cms"				<= 1.17 Search vendor "Littlecms" for product "Little Cms" and version " <= 1.17"		-		Affected
Gimp Search vendor "Gimp"		Gimp Search vendor "Gimp" for product "Gimp"				*		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				3.1 Search vendor "Mozilla" for product "Firefox" and version "3.1"		beta1		Affected
Sun Search vendor "Sun"		Openjdk Search vendor "Sun" for product "Openjdk"				<= 7 Search vendor "Sun" for product "Openjdk" and version " <= 7"		-		Affected