Bug 487744 (CVE-2009-0584)
| Summary: | CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Nobody <nobody> | ||||
| Status: | VERIFIED --- | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | gwync, twaugh | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | --- | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 487747, 487748, 487749, 487750, 487751, 491276, 491277, 491278 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2009-02-27 18:28:15 UTC
Lifting embargo ghostscript-8.63-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. ghostscript-8.63-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0584 to this vulnerability: icc.c in the International Color Consortium (ICC) Format library (aka icclib), as used in Ghostscript 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and earlier, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code by using a device file for processing a crafted image file associated with large integer values for certain sizes, related to an ICC profile in a (1) PostScript or (2) PDF file with embedded images. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584 http://www.securityfocus.com/archive/1/archive/1/501994/100/0/threaded http://bugs.gentoo.org/show_bug.cgi?id=261087 http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050 https://issues.rpath.com/browse/RPL-2991 http://www.debian.org/security/2009/dsa-1746 http://www.securityfocus.com/bid/34184 http://securitytracker.com/id?1021868 http://secunia.com/advisories/34373 http://secunia.com/advisories/34381 http://secunia.com/advisories/34393 http://secunia.com/advisories/34398 http://www.vupen.com/english/advisories/2009/0776 http://www.vupen.com/english/advisories/2009/0777 http://xforce.iss.net/xforce/xfdb/49327 argyllcms-1.0.3-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. argyllcms-1.0.3-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 355610 [details]
fix a bug in this security patch
The fix for CVE 2009-0583/0584 introduces a serious bug that causes icclib to reject most ICC profiles, effectively disabling ICC handling in Ghostscript.
The attached two-line patch fixes the two issues. First, by limiting the number of points in icmLut_read to the specified limit of 255 instead of 100 like the original patch. Second, by resetting an error condition when icm_read_tag fails to find a black point tag. This tag is optional, so the error should not be propagated; originally it was just ignored, but new error checking introduced by the security patch caught it when processing subsequent tags, incorrectly rejecting the profile as unreadable.
I recommend updating the package with this fix to address the serious regressions introduced in the 8.64-5 release. The same change will be included in the upstream ghostscript-8.70 release.
|