iccDEV Undefined Behavior Vulnerability in IccProfLib IccIO Component
Vulnerability
A vulnerability causing undefined behavior has been identified in iccDEV versions prior to 2.3.1.6. The issue arises from an implicit conversion of a negative signed integer to an unsigned size_t, altering the value. This vulnerability is located in the IccProfLib/IccIO.cpp file, specifically at line 569, and can lead to process crashes or unpredictable behavior.
Impact
Exploitation of this vulnerability can cause the process to crash or behave unpredictably, creating a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by downloading an ICC file crafted to trigger the undefined behavior and then processing it with the 'iccDumpProfileGui' tool. This will generate a runtime error indicating the implicit conversion issue.
Remediation
Users can update to iccDEV version 2.3.1.6 or later. Instructions for updating via npm, Homebrew, Docker, and NixOS are available in the GitHub advisory.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.