Bug 493379 (CVE-2009-0196)

Summary: CVE-2009-0196 ghostscript: Missing boundary check in Ghostscript's jbig2dec library
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mjc, redhat-bugzilla, security-response-team, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20090326,public=20090408,source=vendorsec,impact=moderate,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 13:55:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 491857, 491858, 495915, 495916, 495917    
Bug Blocks:    
Description Flags
Upstream patch from Ralph Giles none

Description Jan Lieskovsky 2009-04-01 15:45:37 UTC
A missing boundary check flaw was found in the Ghostscript's JBIG2 decoding library. An attacker could create a specially-crafted PDF file which could
cause Ghostscript to crash, or, potentially execute arbitrary code, when
opened by the victim.


Red Hat would like to thank Alin Rad Pop of Secunia Research for
responsibly reporting this flaw.

Comment 3 Tomas Hoger 2009-04-01 16:15:47 UTC
This issue was reported by Alin Rad Pop, Secunia Research.

Comment 4 Tomas Hoger 2009-04-02 08:30:54 UTC
Created attachment 337747 [details]
Upstream patch from Ralph Giles

Comment 7 Tomas Hoger 2009-04-10 19:17:38 UTC
Secunia advisory:

Comment 9 errata-xmlrpc 2009-04-14 17:54:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0421 https://rhn.redhat.com/errata/RHSA-2009-0421.html

Comment 12 Fedora Update System 2009-04-15 17:11:14 UTC
ghostscript-8.63-3.fc9 has been submitted as an update for Fedora 9.

Comment 13 Fedora Update System 2009-04-15 21:49:33 UTC
ghostscript-8.63-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2009-04-15 21:50:06 UTC
ghostscript-8.63-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.