Bug 487744 - (CVE-2009-0584) CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library
CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds chec...
Status: VERIFIED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,reported=20090227,publi...
: Security
Depends On: 487747 487748 487749 487750 487751 491276 491277 491278
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-27 13:28 EST by Jan Lieskovsky
Modified: 2009-07-30 09:12 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
fix a bug in this security patch (752 bytes, patch)
2009-07-29 17:39 EDT, Ralph Giles
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-02-27 13:28:15 EST
Multiple insufficient upper-bounds checks on certain sizes were found in the
Ghostscript's International Color Consortium Format Library (icclib). An
attacker could use this flaw to potentially execute arbitrary code by
providing a specially-crafted image file for processing via the Ghotstscript's
device file.
Comment 4 Josh Bressers 2009-03-19 10:57:14 EDT
Lifting embargo
Comment 6 Fedora Update System 2009-03-20 21:26:56 EDT
ghostscript-8.63-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-03-20 21:28:07 EDT
ghostscript-8.63-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Jan Lieskovsky 2009-03-24 13:00:02 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0584 to
this vulnerability:

icc.c in the International Color Consortium (ICC) Format library (aka
icclib), as used in Ghostscript 8.64 and earlier and Argyll Color
Management System (CMS) 1.0.3 and earlier, allows context-dependent
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code by using a device file for processing a crafted
image file associated with large integer values for certain sizes,
related to an ICC profile in a (1) PostScript or (2) PDF file with
embedded images.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584
http://www.securityfocus.com/archive/1/archive/1/501994/100/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=261087
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050
https://issues.rpath.com/browse/RPL-2991
http://www.debian.org/security/2009/dsa-1746
http://www.securityfocus.com/bid/34184
http://securitytracker.com/id?1021868
http://secunia.com/advisories/34373
http://secunia.com/advisories/34381
http://secunia.com/advisories/34393
http://secunia.com/advisories/34398
http://www.vupen.com/english/advisories/2009/0776
http://www.vupen.com/english/advisories/2009/0777
http://xforce.iss.net/xforce/xfdb/49327
Comment 9 Fedora Update System 2009-03-25 12:06:15 EDT
argyllcms-1.0.3-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-03-25 12:10:22 EDT
argyllcms-1.0.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Ralph Giles 2009-07-29 17:39:19 EDT
Created attachment 355610 [details]
fix a bug in this security patch

The fix for CVE 2009-0583/0584 introduces a serious bug that causes icclib to reject most ICC profiles, effectively disabling ICC handling in Ghostscript.

The attached two-line patch fixes the two issues. First, by limiting the number of points in icmLut_read to the specified limit of 255 instead of 100 like the original patch. Second, by resetting an error condition when icm_read_tag fails to find a black point tag. This tag is optional, so the error should not be propagated; originally it was just ignored, but new error checking introduced by the security patch caught it when processing subsequent tags, incorrectly rejecting the profile as unreadable.

I recommend updating the package with this fix to address the serious regressions introduced in the 8.64-5 release. The same change will be included in the upstream ghostscript-8.70 release.

Note You need to log in before you can comment on or make changes to this bug.