This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 854227 (CVE-2012-4405)

Summary: CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based bufer OOB write
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, security-response-team, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120911,reported=20120904,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-5/ghostscript=affected,rhel-6/ghostscript=affected,fedora-all/ghostscript=affected,fedora-all/argyllcms=affected,cwe=CWE-787[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 854548, 854549, 854550, 854551, 856060, 856061    
Bug Blocks: 854262    
Attachments:
Description Flags
patch for ghostscript none

Description Jan Lieskovsky 2012-09-04 08:56:56 EDT
An array index error leading to heap-based buffer out-of-buffer bounds write flaw was found in the way International Color Consortium (ICC) Format library (aka icclib) as used in Ghostscript and Argyll Color Management System computed dimensional increment through the clut based on the count of input channels. Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which would cause Ghostscript to crash or, potentially, execute arbitrary code when opened by the victim. Similarly when such specially-crafted ICC profile was inspected by some of the Argyll Color Management System tools it could lead to particular executable crash or, arbitrary code execution with the privileges of the user running the binary.

Acknowledgements:

Red Hat would like to thank Marc Schönefeld for reporting this issue.
Comment 2 Jan Lieskovsky 2012-09-04 09:04:18 EDT
This issue affects the versions of the ghostscript package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the version of the ghostscript package, as shipped with Fedora release of 16 and 17.

--

This issue affects the versions of the argyllcms package, as shipped with Fedora release of 16 and 17.
Comment 5 Huzaifa S. Sidhpurwala 2012-09-05 04:11:34 EDT
Analysis:

This really is an integer overflow, causing heap-buffer overflow. 

In icc.c:icmLut_allocate()
icmbase *pp is taken as an arguement to this function, from which icmLut *p is extracted.
Various checks are done on the members of the struct pointed by *pp. Later the following happens:

 6471         i = p->inputChan-1;
 6472         p->dinc[i--] = p->outputChan;

Though p->inputChan is checked for upper bounds, its not really checked for lower bounds. In case of our malicious input file, p->inputChan = 0. Since i is unsigned, this causes an integer overflow for i, resulting in a very large value for it.

Later p->dinc[i--] = p->outputChan; causes an out of bounds write in the buffer
p->dinc, which is controlled i.

The size of the p->dinc buffer is 15. The chances of exploitation seem a little higher to me, specially because the _icmLut structure contains pointers to functions.
Comment 9 Huzaifa S. Sidhpurwala 2012-09-11 01:42:48 EDT
Created argyllcms tracking bugs for this issue

Affects: fedora-all [bug 856061]
Comment 10 Huzaifa S. Sidhpurwala 2012-09-11 01:42:53 EDT
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 856060]
Comment 11 errata-xmlrpc 2012-09-11 14:26:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1256 https://rhn.redhat.com/errata/RHSA-2012-1256.html
Comment 12 Graeme Gill 2012-09-23 21:18:05 EDT
Probably a good idea to notify upstream in the case of discovering bugs
in external software, so that your fixes don't get undone at the next update.

[i.e. you seem to be expecting me to randomly stumble over this bug report.
 There is no guarantee that this will be the case. ]
Comment 13 Jan Lieskovsky 2012-09-24 12:54:22 EDT
(In reply to comment #12)

Hello Graeme,

> Probably a good idea to notify upstream in the case of discovering bugs
> in external software, so that your fixes don't get undone at the next update.

Sure. This has been the practice for previous cases like this one. I am not sure why / how in this specific case it did not happen.

Anyway, we will make a note about this and ensure this will not occur again.

Apologize for the inconvenience.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> [i.e. you seem to be expecting me to randomly stumble over this bug report.
>  There is no guarantee that this will be the case. ]
Comment 14 Fedora Update System 2012-09-28 19:53:45 EDT
ghostscript-9.05-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-09-28 19:55:44 EDT
ghostscript-9.05-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.