Bug 503785

Summary: Ghostscript: Multiple NULL pointer dereferences in JBIG2 decoder
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: twaugh, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.milw0rm.com/exploits/8090
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 22:40:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 503991, 503992, 503994, 503995    
Bug Blocks: 501710, 621118    
Attachments:
Description Flags
Suggested patch by Tim Waugh none

Description Jan Lieskovsky 2009-06-02 17:46:29 UTC
Multiple NULL pointer dereference deficiencies were found in the Ghostscript's JBIG2 compression format decoder. Opening a specially-crafted Portable Document
Format (PDF) file would cause "pdf2ps" to crash.

Note: This bug was discovered by PoC provided for the Adobe Reader 9.0
      and Adobe Acrobat 9.0 CVE-2009-0658 flaw.

PoC: 
http://milw0rm.com/sploits/2009-41414141.pdf

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658
http://www.milw0rm.com/exploits/8090
http://www.milw0rm.com/exploits/8099
http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html
http://milw0rm.com/exploits/8280
http://www.adobe.com/support/security/bulletins/apsb09-04.html
http://www.adobe.com/support/security/advisories/apsa09-01.html

Comment 2 Jan Lieskovsky 2009-06-02 17:51:48 UTC
This issue does NOT affect the versions of the Ghostscript packages, as shipped
with Red Hat Enterprise Linux 3 or 4.

This issue affects the version of the Ghostscript package, as shipped
with Red Hat Enterprise Linux 5.

This issue affects the versions of the Ghostscript packages, as shipped
with Fedora releases of 9, 10, and 11.

Comment 3 Jan Lieskovsky 2009-06-03 17:46:31 UTC
Official statement from Red Hat regarding this bug:
---------------------------------------------------

Red Hat does not consider bugs which result in a user-assisted crash
of end user application (such as "pdf2ps") to be a security issue.

Comment 7 Vincent Danen 2009-10-26 22:19:54 UTC
This has already been corrected in Fedora:

* Thu Jun 04 2009 Tim Waugh <twaugh> 8.64-7
- Applied patch to fix NULL dereference in JBIG2 decoder (bug #503995). 

Using the attached patch (newer variants for 8.70 are in Fedora CVS: ghostscript-jbig2dec-nullderef.patch).

CVE request: http://www.openwall.com/lists/oss-security/2009/10/26/4

Comment 8 Vincent Danen 2010-12-21 22:40:37 UTC
A CVE name was never assigned to this and as we do not consider this a security flaw, I'm closing the bug.