Bug 627902 - (CVE-2009-3743) CVE-2009-3743 ghostscript: TrueType bytecode intepreter integer overflow or wraparound
CVE-2009-3743 ghostscript: TrueType bytecode intepreter integer overflow or w...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 755924 755925 755926 755928 755929
Blocks: 733386
  Show dependency treegraph
Reported: 2010-08-27 06:59 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:39 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-02-14 08:55:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Ghostscript 691044 None None None Never

  None (edit)
Description Jan Lieskovsky 2010-08-27 06:59:08 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3743 to
the following vulnerability:

Off-by-one error in the TrueType bytecode interpreter in Ghostscript
before 8.71 allows remote attackers to execute arbitrary code or cause
a denial of service (heap memory corruption) via a malformed TrueType
font in a document.

  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3743
  [2] http://www.kb.cert.org/vuls/id/JALR-87YGN8
  [3] http://www.kb.cert.org/vuls/id/644319

Upstream bug report:
  [4] http://bugs.ghostscript.com/show_bug.cgi?id=691044

Upstream changeset:
  [5] http://code.google.com/p/ghostscript/source/detail?r=10602
Comment 9 Tomas Hoger 2010-08-30 10:52:02 EDT
(In reply to comment #0)
> Off-by-one error in the TrueType bytecode interpreter in Ghostscript

While this may possibly allow off-by-one over-read, the more important issue is an integer underflow leading to memory corruption.  Upstream patch fixes Ins_MINDEX() to skip standard processing when 0 is passed as an argument (L) to the function.  Skipped code is:

    K = CUR.stack[CUR.args - L];

    memmove( (&CUR.stack[CUR.args - L    ]),
              (&CUR.stack[CUR.args - L + 1]),
              (L - 1) * sizeof ( Long ) );

    CUR.stack[ CUR.args-1 ] = K;

When L==0, memmove() is called with the third argument being (-1)*sizeof(long), which is close to SIZE_MAX or address space limit of the architecture.  Hence program will try to move all its memory, which leads to crash before that memmove() call finishes.  Memory corruption is under very limited control of an attacker, making it more difficult to reliably exploit for code execution.
Comment 13 Jan Lieskovsky 2010-11-26 09:27:47 EST
Toucan System advisory:
[1] http://www.toucan-system.com/advisories/tssa-2010-01.txt
Comment 18 Ramon de C Valle 2011-11-22 07:47:10 EST
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 755929]
Comment 22 errata-xmlrpc 2012-02-02 17:45:42 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0095 https://rhn.redhat.com/errata/RHSA-2012-0095.html

Note You need to log in before you can comment on or make changes to this bug.