Little CMS Integer Overflow Vulnerability in ParseCube Function Allowing Heap Buffer Overflow

A vulnerability has been identified in Little CMS (lcms2) versions 2.16 through 2.18 prior to 2.19. The issue arises from an integer overflow in the ParseCube function within the cmscgats.c file. This flaw allows for a heap buffer overflow by miscalculating the size of a Color Look-Up Table (CLUT) during the parsing of ICC profiles, particularly those with certain dimensions that trigger the overflow. The vulnerability can be exploited through various applications that use Little CMS for PDF processing, leading to crashes and potential information leakage.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to a segmentation fault and application crash. However, on Linux systems with the default glibc allocator and Address Space Layout Randomization (ASLR) turned off, this vulnerability also allows for a coarse memory leak. This leak can be exploited to read specific bytes from the heap, creating a channel for information disclosure.

Reproduction

The vulnerability can be reproduced by crafting a PDF file that includes an ICC profile with specific Color Look-Up Table (CLUT) dimensions designed to trigger the integer overflow. When this PDF is processed by applications such as Evince, GIMP, or through the Poppler PDF rendering library, the application will crash due to a segmentation fault in the Little CMS library. This can be automated with a simple C program that uses the Little CMS functions to create a profile that exploits the overflow, or by using a Python script that achieves the same effect.

Remediation

Users can upgrade to Little CMS version 2.19, which addresses the integer overflow vulnerability in the ParseCube function. This version is available on the Little CMS GitHub repository.