2224368 – (CVE-2023-38560) CVE-2023-38560 ghostscript: Integer overflow in pcl/pl/plfont.c:418 in pl_glyph_name

Bug 2224368 (CVE-2023-38560) - CVE-2023-38560 ghostscript: Integer overflow in pcl/pl/plfont.c:418 in pl_glyph_name

Summary: CVE-2023-38560 ghostscript: Integer overflow in pcl/pl/plfont.c:418 in pl_gl...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2023-38560
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2224375 2224376 2224377 2224378 2225381
Blocks:	2224370
TreeView+	depends on / blocked

Reported:	2023-07-20 14:50 UTC by Michael Kaplan
Modified:	2023-08-07 12:15 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may allow a local attacker to cause a denial of service via transforming a crafted PCL file to PDF format.
Clone Of:
Environment:
Last Closed:	2023-08-01 19:02:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2023-07-20 14:50:26 UTC

An Integer overflow in pcl/pl/plfont.c:418 in pl_glyph_name allows a local attacker to cause a denial of service via a rafted PCL file and tranforming it to PDF format

Comment 1 Michael Kaplan 2023-07-20 14:57:00 UTC

References:

https://bugs.ghostscript.com/show_bug.cgi?id=706898
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174c

Comment 3 TEJ RATHI 2023-07-25 07:05:58 UTC

Created ghostscript tracking bugs for this issue:

Affects: fedora-all [bug 2225381]

Comment 4 Michael J Gruber 2023-07-25 10:17:05 UTC

(In reply to Michael Kaplan from comment #1)
> References:
> 
> https://bugs.ghostscript.com/show_bug.cgi?id=70689
> https://bugs.ghostscript.com/show_bug.cgi?id=706897
> https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174c

Strange fix that is:

If "a > b - 1" is a problem because a, b are unsigned then why not use "a + 1 > b"?

The fix relies implicitly on the fact that an "int" can fit a "u16", or else we get new problems ... (Can't comment on the original gs bug which is locked.)

Comment 5 Product Security DevOps Team 2023-08-01 19:02:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38560

Comment 6 Salvatore Bonaccorso 2023-08-04 04:07:58 UTC

Hi

The upstream bug reference should be https://bugs.ghostscript.com/show_bug.cgi?id=706898, can you please correct that here as well in the CVE record?

Regards,
Salvatore

Comment 7 Pedro Sampaio 2023-08-07 12:15:07 UTC

(In reply to Salvatore Bonaccorso from comment #6)
> Hi
> 
> The upstream bug reference should be
> https://bugs.ghostscript.com/show_bug.cgi?id=706898, can you please correct
> that here as well in the CVE record?
> 
> Regards,
> Salvatore

Fixed. Thanks!

Note You need to log in before you can comment on or make changes to this bug.