Your message dated Wed, 22 Apr 2009 00:02:07 +0000 with message-id <e1lwpuh-00017e...@ries.debian.org> and subject line Bug#524915: fixed in ghostscript 8.64~dfsg-1.1 has caused the Debian Bug report #524915, regarding ghostscript: CVE-2009-0792 multiple integer overflows in icc library to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 524915: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524915 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ghostscript Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for ghostscript. CVE-2009-0792[0]: | Multiple integer overflows in icc.c in the International Color | Consortium (ICC) Format library (aka icclib), as used in Ghostscript | 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and | earlier, allow context-dependent attackers to cause a denial of | service (heap-based buffer overflow and application crash) or possibly | execute arbitrary code by using a device file for a translation | request that operates on a crafted image file and targets a certain | "native color space," related to an ICC profile in a (1) PostScript or | (2) PDF file with embedded images. NOTE: this issue exists because of | an incomplete fix for CVE-2009-0583. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Patch attached. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 http://security-tracker.debian.net/tracker/CVE-2009-0792 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0792 ghostscript-8.63/icclib/icc.c --- ghostscript-8.63/icclib/icc.c.CVE-2009-0792 2009-04-15 16:37:49.000000000 +0100 +++ ghostscript-8.63/icclib/icc.c 2009-04-15 16:38:00.000000000 +0100 @@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd( rv |= 1; } ix = (int)floor(val); /* Coordinate */ - if (ix > (p->size-2)) + if (ix < 0 || ix > (p->size-2)) ix = (p->size-2); w = val - (double)ix; /* weight */ val = p->data[ix]; @@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd( ) { int i; + if (size > INT_MAX - 2) + /* Although rt->size is unsigned long, the rt data + * structure uses int data types to store indices. */ + return 2; + rt->size = size; /* Stash pointers to these away */ rt->data = data; @@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd( rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ /* Initialize the reverse lookup structures, and get overall min/max */ - if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { + if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { return 2; } @@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd( int t; t = s; s = e; e = t; } + /* s and e should both be in the range [0,rt->rsize] + * now, but let's not rely on floating point + * calculations -- double-check. */ + if (s < 0) + s = 0; + if (e < 0) + e = 0; + if (s >= rt->rsize) + s = rt->rsize-1; if (e >= rt->rsize) e = rt->rsize-1; @@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd( as = rt->rlists[j][0]; /* Allocate space for this list */ nf = rt->rlists[j][1]; /* Next free location in list */ if (nf >= as) { /* need to expand space */ + if (as > INT_MAX / 2 / sizeof (int)) + return 2; + as *= 2; rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); if (rt->rlists[j] == NULL) { @@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd( val = rsize_1; ix = (int)floor(val); /* Coordinate */ - if (ix > (rt->size-2)) + if (ix < 0 || ix > (rt->size-2)) ix = (rt->size-2); if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ /* For each candidate forward range */ @@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd( /* We have failed to find an exact value, so return the nearest value */ /* (This is slow !) */ val = fabs(ival - rt->data[0]); + /* rt->size is known to be < INT_MAX */ for (k = 0, i = 1; i < rt->size; i++) { double er; er = fabs(ival - rt->data[i]); @@ -3671,7 +3689,7 @@ static int icmData_allocate( if (p->size != p->_size) { if (p->data != NULL) icp->al->free(icp->al, p->data); - if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) { + if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) { sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed"); return icp->errc = 2; } @@ -3887,7 +3905,7 @@ static int icmText_allocate( if (p->size != p->_size) { if (p->data != NULL) icp->al->free(icp->al, p->data); - if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed"); return icp->errc = 2; } @@ -4301,7 +4319,7 @@ double *in /* Input array[inputChan] */ rv |= 1; } ix = (int)floor(val); /* Grid coordinate */ - if (ix > (p->inputEnt-2)) + if (ix < 0 || ix > (p->inputEnt-2)) ix = (p->inputEnt-2); w = val - (double)ix; /* weight */ val = table[ix]; @@ -4360,7 +4378,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -4433,7 +4451,7 @@ double *in /* Input array[outputChan] * rv |= 1; } x = (int)floor(val); /* Grid coordinate */ - if (x > clutPoints_2) + if (x < 0 || x > clutPoints_2) x = clutPoints_2; co[e] = val - (double)x; /* 1.0 - weight */ gp += x * p->dinc[e]; /* Add index offset for base of cube */ @@ -4506,7 +4524,7 @@ double *in /* Input array[outputChan] * rv |= 1; } ix = (int)floor(val); /* Grid coordinate */ - if (ix > (p->outputEnt-2)) + if (ix < 0 || ix > (p->outputEnt-2)) ix = (p->outputEnt-2); w = val - (double)ix; /* weight */ val = table[ix]; @@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate( if (p->size != p->_size) { if (p->desc != NULL) icp->al->free(icp->al, p->desc); - if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); return icp->errc = 2; } @@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate( if (p->size != p->_size) { if (p->string != NULL) icp->al->free(icp->al, p->string); - if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { + if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); return icp->errc = 2; } @@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate( if (p->ppsize != p->_ppsize) { if (p->ppname != NULL) icp->al->free(icp->al, p->ppname); - if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { + if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); return icp->errc = 2; } @@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate( if (p->crdsize[t] != p->_crdsize[t]) { if (p->crdname[t] != NULL) icp->al->free(icp->al, p->crdname[t]); - if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { + if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); return icp->errc = 2; }
pgpmBZTqz0vgC.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: ghostscript Source-Version: 8.64~dfsg-1.1 We believe that the bug you reported is fixed in the latest version of ghostscript, which is due to be installed in the Debian FTP archive: ghostscript-doc_8.64~dfsg-1.1_all.deb to pool/main/g/ghostscript/ghostscript-doc_8.64~dfsg-1.1_all.deb ghostscript-x_8.64~dfsg-1.1_amd64.deb to pool/main/g/ghostscript/ghostscript-x_8.64~dfsg-1.1_amd64.deb ghostscript_8.64~dfsg-1.1.diff.gz to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1.1.diff.gz ghostscript_8.64~dfsg-1.1.dsc to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1.1.dsc ghostscript_8.64~dfsg-1.1_amd64.deb to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1.1_amd64.deb gs-aladdin_8.64~dfsg-1.1_all.deb to pool/main/g/ghostscript/gs-aladdin_8.64~dfsg-1.1_all.deb gs-common_8.64~dfsg-1.1_all.deb to pool/main/g/ghostscript/gs-common_8.64~dfsg-1.1_all.deb gs-esp_8.64~dfsg-1.1_all.deb to pool/main/g/ghostscript/gs-esp_8.64~dfsg-1.1_all.deb gs-gpl_8.64~dfsg-1.1_all.deb to pool/main/g/ghostscript/gs-gpl_8.64~dfsg-1.1_all.deb gs_8.64~dfsg-1.1_all.deb to pool/main/g/ghostscript/gs_8.64~dfsg-1.1_all.deb libgs-dev_8.64~dfsg-1.1_amd64.deb to pool/main/g/ghostscript/libgs-dev_8.64~dfsg-1.1_amd64.deb libgs8_8.64~dfsg-1.1_amd64.deb to pool/main/g/ghostscript/libgs8_8.64~dfsg-1.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 524...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <n...@debian.org> (supplier of updated ghostscript package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 22 Apr 2009 00:19:51 +0200 Source: ghostscript Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x ghostscript-doc libgs8 libgs-dev Architecture: source all amd64 Version: 8.64~dfsg-1.1 Distribution: unstable Urgency: high Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org> Changed-By: Nico Golde <n...@debian.org> Description: ghostscript - The GPL Ghostscript PostScript/PDF interpreter ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor gs - Transitional package gs-aladdin - Transitional package gs-common - Dummy package depending on ghostscript gs-esp - Transitional package gs-gpl - Transitional package libgs-dev - The Ghostscript PostScript Library - Development Files libgs8 - The Ghostscript PostScript/PDF interpreter Library Closes: 522416 524803 524915 Changes: ghostscript (8.64~dfsg-1.1) unstable; urgency=high . * Non-maintainer upload by the Security Team. * This update fixes various security issues: - CVE-2009-0792: multiple integer overflows in the icc library can cause a heap-based buffer overflow possibly leading to arbitray code execution. - CVE-2009-0584/CVE-2009-0583: Multiple integer overflows causing an application crash or possibly arbitrary code execution. - CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict() leading to arbitrary code execution via a crafted JBIG2 symbol dictionary segment. . (Closes: #524915, #522416, #524803) Checksums-Sha1: 48bc19b292ba7fb13834b44605fd9cb5159494a4 1658 ghostscript_8.64~dfsg-1.1.dsc ee96233f4e4193fa02b59fcca02dc6520cc4669a 85786 ghostscript_8.64~dfsg-1.1.diff.gz edab987df5b0e64fba7f8ebd8e8289ceb407351d 30578 gs_8.64~dfsg-1.1_all.deb 4a44c06643c3ff2bc3057ba0c65371d706f489ec 30580 gs-esp_8.64~dfsg-1.1_all.deb 27b3d212393054e351853a33d3c1430c5bfc6b8c 30584 gs-gpl_8.64~dfsg-1.1_all.deb 4c63ee50c2f8711e86a9a83916f52861623d67b5 30586 gs-aladdin_8.64~dfsg-1.1_all.deb ca04fe4286efe55cd2e13819aa0e8ac2b746ff30 30838 gs-common_8.64~dfsg-1.1_all.deb 70642368aa4ee1f48ca6042e37e763f279515726 2967238 ghostscript-doc_8.64~dfsg-1.1_all.deb 41e5bd0f754230194f52a9833e3bfc85a15bb77f 770316 ghostscript_8.64~dfsg-1.1_amd64.deb e238145504a7dd3143d282edfdd42819f0ab931f 64714 ghostscript-x_8.64~dfsg-1.1_amd64.deb ebe85b907136c30925520e65094568ee1cfd6450 2399198 libgs8_8.64~dfsg-1.1_amd64.deb 3974e4cceb13266505e0b5e5b849c838747d052e 38346 libgs-dev_8.64~dfsg-1.1_amd64.deb Checksums-Sha256: 0d4bae2b02705659308f06527343ea8c269be555de6d52410201f9da3a2caf7b 1658 ghostscript_8.64~dfsg-1.1.dsc 4828b4680c4d897c06ed8d895004cb7eae50bd5a0d2970a17c34f197e65d86e3 85786 ghostscript_8.64~dfsg-1.1.diff.gz 8c8c43a820fa897ebd0e990d30feebdc283c5873c0eef75caa9da720271dcd91 30578 gs_8.64~dfsg-1.1_all.deb 7209fa298a4ab6ee84a5affd53ef3cb006d49f4311eaca9043beac605b199fce 30580 gs-esp_8.64~dfsg-1.1_all.deb 0c0a2fe0b4cbd1ecbb8adcd1dfb9d2d5afee08d54189aaa2c593c87cc3d8e515 30584 gs-gpl_8.64~dfsg-1.1_all.deb 5379d214ea23c3e182cdfa4e4e1ee793a23754a47083ab2042e228dfa77d9de5 30586 gs-aladdin_8.64~dfsg-1.1_all.deb c3469692907c6afff25b6ff6a22a0fa778fea1238d136c6c6cbe98ed84fab3ab 30838 gs-common_8.64~dfsg-1.1_all.deb 4c076b69eb93f9635e2ea4343e6c92be3976aa15880b509cbf70a042d2943ea8 2967238 ghostscript-doc_8.64~dfsg-1.1_all.deb c15e453acfab7a233e805356c631bdf341c6dc501dae4a8ca9f24ffb3ea07d8d 770316 ghostscript_8.64~dfsg-1.1_amd64.deb 4726ff1be484e4b29d01b863964cf6e3a2fc51eb0620dbe3e6d73b9828c8e4a1 64714 ghostscript-x_8.64~dfsg-1.1_amd64.deb a51cdf7a3dcddead8db46225a65eccf17c04fafc34e07b9df19074ddf4c3e852 2399198 libgs8_8.64~dfsg-1.1_amd64.deb e45c54461b6d74462acbef5db96a2575d24f0c4f5923f1c523b446d3ba15a068 38346 libgs-dev_8.64~dfsg-1.1_amd64.deb Files: 2cb5e199d8a542bb9fe2491d199a5a37 1658 text optional ghostscript_8.64~dfsg-1.1.dsc b75e64ce81ee96df3bc296730685cf5b 85786 text optional ghostscript_8.64~dfsg-1.1.diff.gz 4d8696d211e330dc102e5859a1d22482 30578 text extra gs_8.64~dfsg-1.1_all.deb 4575e835cf84f61e85b095ef14d18555 30580 text extra gs-esp_8.64~dfsg-1.1_all.deb 3ea99fcaddc2f57305e17542f8e7f0eb 30584 text extra gs-gpl_8.64~dfsg-1.1_all.deb a19a2211a52c7799d9d97b42da6682b8 30586 text extra gs-aladdin_8.64~dfsg-1.1_all.deb 226ec96efd4510e42e24ca53d9e59da2 30838 text extra gs-common_8.64~dfsg-1.1_all.deb c1cf9564b59d349b1bb7979737f1fbd1 2967238 doc optional ghostscript-doc_8.64~dfsg-1.1_all.deb ade92597066cd987a7d209f30d1d2bdd 770316 text optional ghostscript_8.64~dfsg-1.1_amd64.deb b81e7b7f7cb796b475237d1ac52d8c55 64714 text optional ghostscript-x_8.64~dfsg-1.1_amd64.deb 4666898f5ed8171fd479d7993d50c893 2399198 libs optional libgs8_8.64~dfsg-1.1_amd64.deb 645ec9793b135975b5873505a3814f83 38346 libdevel optional libgs-dev_8.64~dfsg-1.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknuXAwACgkQHYflSXNkfP/PZgCcCJUOXQGeIYGgl9CWPgipjSqT Cd8AoLcpA3a5GTwICRXJ+efN7aXf3Huf =AVIk -----END PGP SIGNATURE-----
--- End Message ---