Bug 1232805 (CVE-2015-3228)

Summary: CVE-2015-3228 ghostscript-core: out-of-bounbds read and write in gs_ttf.ps
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, carnil, ccoleman, dmcphers, jdetiber, jgrulich, jialiu, jkeck, jokerman, jrusnack, kseifried, lmeyer, mmccomas, security-response-team, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: GhostScript 9.10 Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was discovered in one of Ghostscript's memory allocation routines. A remote attacker could possibly exploit this flaw to cause a crash or, potentially, execute arbitrary code by tricking a user into processing a specially crafted file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-16 13:11:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1232808    

Description Vasyl Kaigorodov 2015-06-17 14:06:58 UTC 
Out-of-bounbds read and write has been reported in GhostScript package while processing a crafted .ps file.

Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=696041
Upstream commit that fixes this (as per reporter): http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ecc7a199e9307475c37fea0c44d24b85df814ead 

Acknowledgements:

Red Hat would like to thank William Robinet of Conostix S.A. for reporting this issue.
Comment 2 Stefan Cornelius 2015-06-30 15:25:52 UTC 
I believe that the root issue is actually an integer overflow in one of
the memory allocation routines.

gs_heap_alloc_bytes() function in base/gsmalloc.c:
>        uint added = size + sizeof(gs_malloc_block_t);
>
>        if (mmem->limit - added < mmem->used)
>            set_msg("exceeded limit");
>        else if ((ptr = (byte *) Memento_label(malloc(added), cname)) == 0)
>            set_msg("failed");


If "size" is very large, then size+sizeof(gs_malloc_block_t) can cause
a wrap-around and "size" will suddenly be a lot smaller than it
actually needs to be.
Comment 3 Stefan Cornelius 2015-07-08 10:51:53 UTC 
Upstream patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859
Comment 4 Martin Prpič 2015-07-24 07:25:39 UTC 
Public via:

http://openwall.com/lists/oss-security/2015/07/23/14