Bug 487744 (CVE-2009-0584) - CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds checks on certain sizes in the International Color Consortium Format Library
Summary: CVE-2009-0584 ghostscript, argyllcms: Multiple insufficient upper-bounds chec...
Status: VERIFIED
Alias: CVE-2009-0584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=redhat,reported=20090227,publi...
Keywords: Security
Depends On: 487747 487748 487749 487750 487751 491276 491277 491278
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-27 18:28 UTC by Jan Lieskovsky
Modified: 2019-06-08 12:42 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
fix a bug in this security patch (752 bytes, patch)
2009-07-29 21:39 UTC, Ralph Giles
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0345 normal SHIPPED_LIVE Moderate: ghostscript security update 2009-03-19 16:00:55 UTC

Description Jan Lieskovsky 2009-02-27 18:28:15 UTC
Multiple insufficient upper-bounds checks on certain sizes were found in the
Ghostscript's International Color Consortium Format Library (icclib). An
attacker could use this flaw to potentially execute arbitrary code by
providing a specially-crafted image file for processing via the Ghotstscript's
device file.

Comment 4 Josh Bressers 2009-03-19 14:57:14 UTC
Lifting embargo

Comment 6 Fedora Update System 2009-03-21 01:26:56 UTC
ghostscript-8.63-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-03-21 01:28:07 UTC
ghostscript-8.63-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Jan Lieskovsky 2009-03-24 17:00:02 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0584 to
this vulnerability:

icc.c in the International Color Consortium (ICC) Format library (aka
icclib), as used in Ghostscript 8.64 and earlier and Argyll Color
Management System (CMS) 1.0.3 and earlier, allows context-dependent
attackers to cause a denial of service (application crash) or possibly
execute arbitrary code by using a device file for processing a crafted
image file associated with large integer values for certain sizes,
related to an ICC profile in a (1) PostScript or (2) PDF file with
embedded images.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0584
http://www.securityfocus.com/archive/1/archive/1/501994/100/0/threaded
http://bugs.gentoo.org/show_bug.cgi?id=261087
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0050
https://issues.rpath.com/browse/RPL-2991
http://www.debian.org/security/2009/dsa-1746
http://www.securityfocus.com/bid/34184
http://securitytracker.com/id?1021868
http://secunia.com/advisories/34373
http://secunia.com/advisories/34381
http://secunia.com/advisories/34393
http://secunia.com/advisories/34398
http://www.vupen.com/english/advisories/2009/0776
http://www.vupen.com/english/advisories/2009/0777
http://xforce.iss.net/xforce/xfdb/49327

Comment 9 Fedora Update System 2009-03-25 16:06:15 UTC
argyllcms-1.0.3-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-03-25 16:10:22 UTC
argyllcms-1.0.3-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Ralph Giles 2009-07-29 21:39:19 UTC
Created attachment 355610 [details]
fix a bug in this security patch

The fix for CVE 2009-0583/0584 introduces a serious bug that causes icclib to reject most ICC profiles, effectively disabling ICC handling in Ghostscript.

The attached two-line patch fixes the two issues. First, by limiting the number of points in icmLut_read to the specified limit of 255 instead of 100 like the original patch. Second, by resetting an error condition when icm_read_tag fails to find a black point tag. This tag is optional, so the error should not be propagated; originally it was just ignored, but new error checking introduced by the security patch caught it when processing subsequent tags, incorrectly rejecting the profile as unreadable.

I recommend updating the package with this fix to address the serious regressions introduced in the 8.64-5 release. The same change will be included in the upstream ghostscript-8.70 release.


Note You need to log in before you can comment on or make changes to this bug.