Overview
Apple's Mac OS X operating system contains a flaw in the handling of ICC color profiles, which may allow arbitrary code execution through a heap-based buffer overflow.
Description
The Apple Mac OS X operating system contains support for ICC color profiles in the ColorSync component. This component contains a flaw in checking boundary conditions which may allow arbitrary code execution. When checking certain parameters in ICC color profiles, improperly formatted or maliciously crafted embedded profiles may cause a heap-based buffer overflow which would allow arbitrary code execution. |
Impact
An attacker with the ability to supply a maliciously crafted profile may be able to execute arbitrary code on a vulnerable system. The attacker-supplied code would be executed with the privileges of the user running ColorSync. |
Solution
Apply a patch
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Apple Product Security for reporting this vulnerability.
This document was written by Ken MacInnis.
Other Information
| CVE IDs: | CVE-2005-0126 |
| Severity Metric: | 4.13 |
| Date Public: | 2005-01-25 |
| Date First Published: | 2005-01-27 |
| Date Last Updated: | 2005-01-27 22:54 UTC |
| Document Revision: | 7 |