Bug 2224368 (CVE-2023-38560)

Summary: CVE-2023-38560 ghostscript: Integer overflow in pcl/pl/plfont.c:418 in pl_glyph_name
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, mjg, psampaio, rlescak, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-01 19:02:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2224375, 2224376, 2224377, 2224378, 2225381    
Bug Blocks: 2224370    

Description Michael Kaplan 2023-07-20 14:50:26 UTC 
An Integer overflow in pcl/pl/plfont.c:418 in pl_glyph_name allows a local attacker to cause a denial of service via a rafted PCL file and tranforming it to PDF format
Comment 1 Michael Kaplan 2023-07-20 14:57:00 UTC 
References:

https://bugs.ghostscript.com/show_bug.cgi?id=706898
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174c
Comment 3 TEJ RATHI 2023-07-25 07:05:58 UTC 
Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2225381]
Comment 4 Michael J Gruber 2023-07-25 10:17:05 UTC 
(In reply to Michael Kaplan from comment #1)
> References:
> 
> https://bugs.ghostscript.com/show_bug.cgi?id=70689
> https://bugs.ghostscript.com/show_bug.cgi?id=706897
> https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174c

Strange fix that is:

If "a > b - 1" is a problem because a, b are unsigned then why not use "a + 1 > b"?

The fix relies implicitly on the fact that an "int" can fit a "u16", or else we get new problems ... (Can't comment on the original gs bug which is locked.)
Comment 5 Product Security DevOps Team 2023-08-01 19:02:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38560
Comment 6 Salvatore Bonaccorso 2023-08-04 04:07:58 UTC 
Hi

The upstream bug reference should be https://bugs.ghostscript.com/show_bug.cgi?id=706898, can you please correct that here as well in the CVE record?

Regards,
Salvatore
Comment 7 Pedro Sampaio 2023-08-07 12:15:07 UTC 
(In reply to Salvatore Bonaccorso from comment #6)
> Hi
> 
> The upstream bug reference should be
> https://bugs.ghostscript.com/show_bug.cgi?id=706898, can you please correct
> that here as well in the CVE record?
> 
> Regards,
> Salvatore

Fixed. Thanks!