Multiple insufficient upper-bounds checks on certain sizes were found in the
Ghostscript's International Color Consortium Format Library (icclib). An
attacker could use this flaw to potentially execute arbitrary code by
providing a specially-crafted image file for processing via the Ghotstscript's
ghostscript-8.63-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
ghostscript-8.63-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0584 to
icc.c in the International Color Consortium (ICC) Format library (aka
icclib), as used in Ghostscript 8.64 and earlier and Argyll Color
Management System (CMS) 1.0.3 and earlier, allows context-dependent
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code by using a device file for processing a crafted
image file associated with large integer values for certain sizes,
related to an ICC profile in a (1) PostScript or (2) PDF file with
argyllcms-1.0.3-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
argyllcms-1.0.3-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 355610 [details]
fix a bug in this security patch
The fix for CVE 2009-0583/0584 introduces a serious bug that causes icclib to reject most ICC profiles, effectively disabling ICC handling in Ghostscript.
The attached two-line patch fixes the two issues. First, by limiting the number of points in icmLut_read to the specified limit of 255 instead of 100 like the original patch. Second, by resetting an error condition when icm_read_tag fails to find a black point tag. This tag is optional, so the error should not be propagated; originally it was just ignored, but new error checking introduced by the security patch caught it when processing subsequent tags, incorrectly rejecting the profile as unreadable.
I recommend updating the package with this fix to address the serious regressions introduced in the 8.64-5 release. The same change will be included in the upstream ghostscript-8.70 release.