Your message dated Mon, 04 May 2009 17:47:33 +0000 with message-id <[email protected]> and subject line Bug#524915: fixed in ghostscript 8.64~dfsg-1+squeeze1 has caused the Debian Bug report #524915, regarding ghostscript: CVE-2009-0792 multiple integer overflows in icc library to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 524915: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524915 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ghostscript Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for ghostscript. CVE-2009-0792[0]: | Multiple integer overflows in icc.c in the International Color | Consortium (ICC) Format library (aka icclib), as used in Ghostscript | 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and | earlier, allow context-dependent attackers to cause a denial of | service (heap-based buffer overflow and application crash) or possibly | execute arbitrary code by using a device file for a translation | request that operates on a crafted image file and targets a certain | "native color space," related to an ICC profile in a (1) PostScript or | (2) PDF file with embedded images. NOTE: this issue exists because of | an incomplete fix for CVE-2009-0583. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Patch attached. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 http://security-tracker.debian.net/tracker/CVE-2009-0792 -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0792 ghostscript-8.63/icclib/icc.c --- ghostscript-8.63/icclib/icc.c.CVE-2009-0792 2009-04-15 16:37:49.000000000 +0100 +++ ghostscript-8.63/icclib/icc.c 2009-04-15 16:38:00.000000000 +0100 @@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd( rv |= 1; } ix = (int)floor(val); /* Coordinate */ - if (ix > (p->size-2)) + if (ix < 0 || ix > (p->size-2)) ix = (p->size-2); w = val - (double)ix; /* weight */ val = p->data[ix]; @@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd( ) { int i; + if (size > INT_MAX - 2) + /* Although rt->size is unsigned long, the rt data + * structure uses int data types to store indices. */ + return 2; + rt->size = size; /* Stash pointers to these away */ rt->data = data; @@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd( rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ /* Initialize the reverse lookup structures, and get overall min/max */ - if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { + if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { return 2; } @@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd( int t; t = s; s = e; e = t; } + /* s and e should both be in the range [0,rt->rsize] + * now, but let's not rely on floating point + * calculations -- double-check. */ + if (s < 0) + s = 0; + if (e < 0) + e = 0; + if (s >= rt->rsize) + s = rt->rsize-1; if (e >= rt->rsize) e = rt->rsize-1; @@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd( as = rt->rlists[j][0]; /* Allocate space for this list */ nf = rt->rlists[j][1]; /* Next free location in list */ if (nf >= as) { /* need to expand space */ + if (as > INT_MAX / 2 / sizeof (int)) + return 2; + as *= 2; rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); if (rt->rlists[j] == NULL) { @@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd( val = rsize_1; ix = (int)floor(val); /* Coordinate */ - if (ix > (rt->size-2)) + if (ix < 0 || ix > (rt->size-2)) ix = (rt->size-2); if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ /* For each candidate forward range */ @@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd( /* We have failed to find an exact value, so return the nearest value */ /* (This is slow !) */ val = fabs(ival - rt->data[0]); + /* rt->size is known to be < INT_MAX */ for (k = 0, i = 1; i < rt->size; i++) { double er; er = fabs(ival - rt->data[i]); @@ -3671,7 +3689,7 @@ static int icmData_allocate( if (p->size != p->_size) { if (p->data != NULL) icp->al->free(icp->al, p->data); - if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { + if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); return icp->errc = 2; } @@ -3887,7 +3905,7 @@ static int icmText_allocate( if (p->size != p->_size) { if (p->data != NULL) icp->al->free(icp->al, p->data); - if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); return icp->errc = 2; } @@ -4301,7 +4319,7 @@ double *in /* Input array[inputChan] */ rv |= 1; } ix = (int)floor(val); /* Grid coordinate */ - if (ix > (p->inputEnt-2)) + if (ix < 0 || ix > (p->inputEnt-2)) ix = (p->inputEnt-2); w = val - (double)ix; /* weight */ val = table[ix]; @@ -4360,7 +4378,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -4433,7 +4451,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -4506,7 +4524,7 @@ double *in /* Input array[outputChan] * rv |= 1; } ix = (int)floor(val); /* Grid coordinate */ - if (ix > (p->outputEnt-2)) + if (ix < 0 || ix > (p->outputEnt-2)) ix = (p->outputEnt-2); w = val - (double)ix; /* weight */ val = table[ix]; @@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate( if (p->size != p->_size) { if (p->desc != NULL) icp->al->free(icp->al, p->desc); - if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); return icp->errc = 2; } @@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate( if (p->size != p->_size) { if (p->string != NULL) icp->al->free(icp->al, p->string); - if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); return icp->errc = 2; } @@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate( if (p->ppsize != p->_ppsize) { if (p->ppname != NULL) icp->al->free(icp->al, p->ppname); - if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { + if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); return icp->errc = 2; } @@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate( if (p->crdsize[t] != p->_crdsize[t]) { if (p->crdname[t] != NULL) icp->al->free(icp->al, p->crdname[t]); - if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { + if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); return icp->errc = 2; }
pgpyhEwlhUkfI.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: ghostscript Source-Version: 8.64~dfsg-1+squeeze1 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive: ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb to pool/main/g/ghostscript/ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb to pool/main/g/ghostscript/ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb ghostscript_8.64~dfsg-1+squeeze1.diff.gz to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1+squeeze1.diff.gz ghostscript_8.64~dfsg-1+squeeze1.dsc to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1+squeeze1.dsc ghostscript_8.64~dfsg-1+squeeze1_amd64.deb to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1+squeeze1_amd64.deb gs-aladdin_8.64~dfsg-1+squeeze1_all.deb to pool/main/g/ghostscript/gs-aladdin_8.64~dfsg-1+squeeze1_all.deb gs-common_8.64~dfsg-1+squeeze1_all.deb to pool/main/g/ghostscript/gs-common_8.64~dfsg-1+squeeze1_all.deb gs-esp_8.64~dfsg-1+squeeze1_all.deb to pool/main/g/ghostscript/gs-esp_8.64~dfsg-1+squeeze1_all.deb gs-gpl_8.64~dfsg-1+squeeze1_all.deb to pool/main/g/ghostscript/gs-gpl_8.64~dfsg-1+squeeze1_all.deb gs_8.64~dfsg-1+squeeze1_all.deb to pool/main/g/ghostscript/gs_8.64~dfsg-1+squeeze1_all.deb libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb to pool/main/g/ghostscript/libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb libgs8_8.64~dfsg-1+squeeze1_amd64.deb to pool/main/g/ghostscript/libgs8_8.64~dfsg-1+squeeze1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <[email protected]> (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 22 Apr 2009 00:19:51 +0200 Source: ghostscript Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x ghostscript-doc libgs8 libgs-dev Architecture: source all amd64 Version: 8.64~dfsg-1+squeeze1 Distribution: testing-security Urgency: high Maintainer: Masayuki Hatta (mhatta) <[email protected]> Changed-By: Nico Golde <[email protected]> Description: ghostscript - The GPL Ghostscript PostScript/PDF interpreter ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor gs - Transitional package gs-aladdin - Transitional package gs-common - Dummy package depending on ghostscript gs-esp - Transitional package gs-gpl - Transitional package libgs-dev - The Ghostscript PostScript Library - Development Files libgs8 - The Ghostscript PostScript/PDF interpreter Library Closes: 522416 524803 524915 Changes: ghostscript (8.64~dfsg-1+squeeze1) testing-security; urgency=high . * Non-maintainer upload by the Security Team. * This update fixes various security issues: - CVE-2009-0792: multiple integer overflows in the icc library can cause a heap-based buffer overflow possibly leading to arbitray code execution. - CVE-2009-0584/CVE-2009-0583: Multiple integer overflows causing an application crash or possibly arbitrary code execution. - CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict() leading to arbitrary code execution via a crafted JBIG2 symbol dictionary segment. . (Closes: #524915, #522416, #524803) Checksums-Sha1: 14f32b8d9f0d6c080fb9ab5b0dbe0c83d452af3e 1686 ghostscript_8.64~dfsg-1+squeeze1.dsc 5bb48646a61d9453e5fa669d229a847136c8a680 11996078 ghostscript_8.64~dfsg.orig.tar.gz 913cbe48f8d931f00968d8be58d56f7222340566 86715 ghostscript_8.64~dfsg-1+squeeze1.diff.gz cb910dc645de359b9f13a8e90ae1ba9a856d911c 30622 gs_8.64~dfsg-1+squeeze1_all.deb 0205d82d28da9eda5b7f75e890a78e6be209b461 30618 gs-esp_8.64~dfsg-1+squeeze1_all.deb 3fcbcb09f962e19874d28f61688b951a1ba56d02 30624 gs-gpl_8.64~dfsg-1+squeeze1_all.deb b0f2a16b66fe5f09412e05db57ac2b43d62bfff4 30630 gs-aladdin_8.64~dfsg-1+squeeze1_all.deb 04b894385452935eebdde7e0b6b8749d481e6781 30884 gs-common_8.64~dfsg-1+squeeze1_all.deb b6365abfbb00d01c9d3b9114f85003a0640101b0 2964652 ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb cdc5cab5ebf97796492541fcf5d39cd180463394 769912 ghostscript_8.64~dfsg-1+squeeze1_amd64.deb f7d778d1f20b7e307119f0616be377b9a096055b 64032 ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb bffa3343304c13c99a124f0b0b0a9868208039ee 2399554 libgs8_8.64~dfsg-1+squeeze1_amd64.deb f7c3486f9feb13599c6d5c6285e05b0cc88ab208 38320 libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb Checksums-Sha256: c1b0b105c97e6519e799576b77ec122e1398ca68e1f0664ab6f1dd4994cb8fea 1686 ghostscript_8.64~dfsg-1+squeeze1.dsc cc856d33cb781cdc3383b8eb4e0f390997f8359fe144a906b84297b5d377f03d 11996078 ghostscript_8.64~dfsg.orig.tar.gz 56f7f81acef3de7dcd242ff64a762840d59b05f1c16247047dfb6dd11b6a0983 86715 ghostscript_8.64~dfsg-1+squeeze1.diff.gz 879dcaf08ca16d38a3bdbaa6ad825746075045fce6058dc682609bf1d4febc6e 30622 gs_8.64~dfsg-1+squeeze1_all.deb ee6930582ea9e8dc63dad0ea19f665fb557ea212dec2732e1c212a546fdf75e6 30618 gs-esp_8.64~dfsg-1+squeeze1_all.deb 1b47ef59970e8ed3fa8c5b295c85d7778d54260225491a76a53b2c5bb7a03e1e 30624 gs-gpl_8.64~dfsg-1+squeeze1_all.deb 4727d743dec40e284543eb485b747d863fd64a7d5dc4a3b5961988ece54974c2 30630 gs-aladdin_8.64~dfsg-1+squeeze1_all.deb c2a54af4b0f8371a9bd69256f3c360f3b997eab56b7c645443026fdee1dab797 30884 gs-common_8.64~dfsg-1+squeeze1_all.deb d855b88533b6f4f2d8fbd14eb75c8c2e6789e838c7b0fc9a96c2f18bf61b5fd5 2964652 ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb 0220ad7802e7e36bf4b2332bf8e9bdcbba74bc635c2c04757c1b9b2899007543 769912 ghostscript_8.64~dfsg-1+squeeze1_amd64.deb 8fb3d594f4316e64749697a55b11601d8793d891cf8edf89ee8be595ca58f4d5 64032 ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb 5d0a1eea0c034b170fcdfe71355d79341240f906dd4be3f8cb81b832734cecf2 2399554 libgs8_8.64~dfsg-1+squeeze1_amd64.deb 4e0f12ff40de8f7a333a8f44ead78409822824c6ae96738be86068c121854578 38320 libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb Files: f2487113efaedd0869b033e5dfd49cdd 1686 text optional ghostscript_8.64~dfsg-1+squeeze1.dsc e42706c2409815df5c959484080fd4a3 11996078 text optional ghostscript_8.64~dfsg.orig.tar.gz 8317ffc09f923368e4305f025c6bfcd9 86715 text optional ghostscript_8.64~dfsg-1+squeeze1.diff.gz 9e8022883ec4f35e22ac030fbd79a622 30622 text extra gs_8.64~dfsg-1+squeeze1_all.deb ff1f6644769114b644842cfb2456497f 30618 text extra gs-esp_8.64~dfsg-1+squeeze1_all.deb 12c3bd09877de8c8fc2def9431d82d79 30624 text extra gs-gpl_8.64~dfsg-1+squeeze1_all.deb b295fb9a4d18c3ada094cd259f69cfe9 30630 text extra gs-aladdin_8.64~dfsg-1+squeeze1_all.deb 20e9c0290d09dded49e1e0feccdc3368 30884 text extra gs-common_8.64~dfsg-1+squeeze1_all.deb 10ed6579ecce2302b647bf7df16ef46c 2964652 doc optional ghostscript-doc_8.64~dfsg-1+squeeze1_all.deb 61542d159ad18b46640761470dc85712 769912 text optional ghostscript_8.64~dfsg-1+squeeze1_amd64.deb 9942a8959be5eb58fa12b4e6d2b0635e 64032 text optional ghostscript-x_8.64~dfsg-1+squeeze1_amd64.deb d1b5c3846dac054078fbb2548c216ae0 2399554 libs optional libgs8_8.64~dfsg-1+squeeze1_amd64.deb 15158c213b74cab80a7c30bc4fbdc837 38320 libdevel optional libgs-dev_8.64~dfsg-1+squeeze1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkn0fsgACgkQHYflSXNkfP8SrgCgi6VY5Ec67mZn5zjuXwiAOpnC 5AAAnR7J/I4ycrFr8Xc4gvglnHj7deQ6 =B/Kg -----END PGP SIGNATURE-----
--- End Message ---
