Bug 1232805 (CVE-2015-3228) - CVE-2015-3228 ghostscript-core: out-of-bounbds read and write in gs_ttf.ps
Summary: CVE-2015-3228 ghostscript-core: out-of-bounbds read and write in gs_ttf.ps
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-3228
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150723,reported=2...
Depends On:
Blocks: 1232808
TreeView+ depends on / blocked
 
Reported: 2015-06-17 14:06 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:37 UTC (History)
15 users (show)

Fixed In Version: GhostScript 9.10
Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was discovered in one of Ghostscript's memory allocation routines. A remote attacker could possibly exploit this flaw to cause a crash or, potentially, execute arbitrary code by tricking a user into processing a specially crafted file.
Clone Of:
Environment:
Last Closed: 2015-10-16 13:11:45 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-06-17 14:06:58 UTC
Out-of-bounbds read and write has been reported in GhostScript package while processing a crafted .ps file.

Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=696041
Upstream commit that fixes this (as per reporter): http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ecc7a199e9307475c37fea0c44d24b85df814ead 

Acknowledgements:

Red Hat would like to thank William Robinet of Conostix S.A. for reporting this issue.

Comment 2 Stefan Cornelius 2015-06-30 15:25:52 UTC
I believe that the root issue is actually an integer overflow in one of
the memory allocation routines.

gs_heap_alloc_bytes() function in base/gsmalloc.c:
>        uint added = size + sizeof(gs_malloc_block_t);
>
>        if (mmem->limit - added < mmem->used)
>            set_msg("exceeded limit");
>        else if ((ptr = (byte *) Memento_label(malloc(added), cname)) == 0)
>            set_msg("failed");


If "size" is very large, then size+sizeof(gs_malloc_block_t) can cause
a wrap-around and "size" will suddenly be a lot smaller than it
actually needs to be.

Comment 3 Stefan Cornelius 2015-07-08 10:51:53 UTC
Upstream patch:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=0c0b0859

Comment 4 Martin Prpič 2015-07-24 07:25:39 UTC
Public via:

http://openwall.com/lists/oss-security/2015/07/23/14


Note You need to log in before you can comment on or make changes to this bug.