Bug 627902 (CVE-2009-3743)

Summary: CVE-2009-3743 ghostscript: TrueType bytecode intepreter integer overflow or wraparound
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lijli, liko, rcvalle, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-14 13:55:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 755924, 755925, 755926, 755928, 755929    
Bug Blocks: 733386    

Description Jan Lieskovsky 2010-08-27 10:59:08 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3743 to
the following vulnerability:

Off-by-one error in the TrueType bytecode interpreter in Ghostscript
before 8.71 allows remote attackers to execute arbitrary code or cause
a denial of service (heap memory corruption) via a malformed TrueType
font in a document.

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3743
  [2] http://www.kb.cert.org/vuls/id/JALR-87YGN8
  [3] http://www.kb.cert.org/vuls/id/644319

Upstream bug report:
  [4] http://bugs.ghostscript.com/show_bug.cgi?id=691044

Upstream changeset:
  [5] http://code.google.com/p/ghostscript/source/detail?r=10602
Comment 9 Tomas Hoger 2010-08-30 14:52:02 UTC 
(In reply to comment #0)
> Off-by-one error in the TrueType bytecode interpreter in Ghostscript

While this may possibly allow off-by-one over-read, the more important issue is an integer underflow leading to memory corruption.  Upstream patch fixes Ins_MINDEX() to skip standard processing when 0 is passed as an argument (L) to the function.  Skipped code is:

    K = CUR.stack[CUR.args - L];

    memmove( (&CUR.stack[CUR.args - L    ]),
              (&CUR.stack[CUR.args - L + 1]),
              (L - 1) * sizeof ( Long ) );

    CUR.stack[ CUR.args-1 ] = K;

When L==0, memmove() is called with the third argument being (-1)*sizeof(long), which is close to SIZE_MAX or address space limit of the architecture.  Hence program will try to move all its memory, which leads to crash before that memmove() call finishes.  Memory corruption is under very limited control of an attacker, making it more difficult to reliably exploit for code execution.
Comment 13 Jan Lieskovsky 2010-11-26 14:27:47 UTC 
Toucan System advisory:
[1] http://www.toucan-system.com/advisories/tssa-2010-01.txt
Comment 18 Ramon de C Valle 2011-11-22 12:47:10 UTC 
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 755929]
Comment 22 errata-xmlrpc 2012-02-02 22:45:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html