Chris Evans of Google security team has reported a buffer overflow in zseticcspace() function in zicc.c. The issue is over-trust of the length of a postscript array which an attacker can set to an arbitrary length. This issue can lead to arbitrary code execution.
Created attachment 294020 [details] Patch proposed by Werner Fink
Chris Evans' advisory is public now, lifting embargo: http://scary.beasts.org/security/CESA-2008-001.html
ghostscript-8.15.4-4.fc7 has been submitted as an update for Fedora 7
ghostscript-8.61-8.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ghostscript'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-1998
ghostscript-8.61-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ghostscript-8.15.4-4.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.