This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 854227 - (CVE-2012-4405) CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based bufer OOB write
CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120911,repor...
: Security
Depends On: 854548 854549 854550 854551 856060 856061
Blocks: 854262
  Show dependency treegraph
 
Reported: 2012-09-04 08:56 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:27 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch for ghostscript (609 bytes, patch)
2012-09-05 07:11 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-09-04 08:56:56 EDT
An array index error leading to heap-based buffer out-of-buffer bounds write flaw was found in the way International Color Consortium (ICC) Format library (aka icclib) as used in Ghostscript and Argyll Color Management System computed dimensional increment through the clut based on the count of input channels. Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which would cause Ghostscript to crash or, potentially, execute arbitrary code when opened by the victim. Similarly when such specially-crafted ICC profile was inspected by some of the Argyll Color Management System tools it could lead to particular executable crash or, arbitrary code execution with the privileges of the user running the binary.

Acknowledgements:

Red Hat would like to thank Marc Schönefeld for reporting this issue.
Comment 2 Jan Lieskovsky 2012-09-04 09:04:18 EDT
This issue affects the versions of the ghostscript package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the version of the ghostscript package, as shipped with Fedora release of 16 and 17.

--

This issue affects the versions of the argyllcms package, as shipped with Fedora release of 16 and 17.
Comment 5 Huzaifa S. Sidhpurwala 2012-09-05 04:11:34 EDT
Analysis:

This really is an integer overflow, causing heap-buffer overflow. 

In icc.c:icmLut_allocate()
icmbase *pp is taken as an arguement to this function, from which icmLut *p is extracted.
Various checks are done on the members of the struct pointed by *pp. Later the following happens:

 6471         i = p->inputChan-1;
 6472         p->dinc[i--] = p->outputChan;

Though p->inputChan is checked for upper bounds, its not really checked for lower bounds. In case of our malicious input file, p->inputChan = 0. Since i is unsigned, this causes an integer overflow for i, resulting in a very large value for it.

Later p->dinc[i--] = p->outputChan; causes an out of bounds write in the buffer
p->dinc, which is controlled i.

The size of the p->dinc buffer is 15. The chances of exploitation seem a little higher to me, specially because the _icmLut structure contains pointers to functions.
Comment 9 Huzaifa S. Sidhpurwala 2012-09-11 01:42:48 EDT
Created argyllcms tracking bugs for this issue

Affects: fedora-all [bug 856061]
Comment 10 Huzaifa S. Sidhpurwala 2012-09-11 01:42:53 EDT
Created ghostscript tracking bugs for this issue

Affects: fedora-all [bug 856060]
Comment 11 errata-xmlrpc 2012-09-11 14:26:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1256 https://rhn.redhat.com/errata/RHSA-2012-1256.html
Comment 12 Graeme Gill 2012-09-23 21:18:05 EDT
Probably a good idea to notify upstream in the case of discovering bugs
in external software, so that your fixes don't get undone at the next update.

[i.e. you seem to be expecting me to randomly stumble over this bug report.
 There is no guarantee that this will be the case. ]
Comment 13 Jan Lieskovsky 2012-09-24 12:54:22 EDT
(In reply to comment #12)

Hello Graeme,

> Probably a good idea to notify upstream in the case of discovering bugs
> in external software, so that your fixes don't get undone at the next update.

Sure. This has been the practice for previous cases like this one. I am not sure why / how in this specific case it did not happen.

Anyway, we will make a note about this and ensure this will not occur again.

Apologize for the inconvenience.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> [i.e. you seem to be expecting me to randomly stumble over this bug report.
>  There is no guarantee that this will be the case. ]
Comment 14 Fedora Update System 2012-09-28 19:53:45 EDT
ghostscript-9.05-4.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-09-28 19:55:44 EDT
ghostscript-9.05-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.