Bug#524915: marked as done (ghostscript: CVE-2009-0792 multiple integer overflows in icc library)

Tue, 21 Apr 2009 17:08:54 -0700 

Your message dated Wed, 22 Apr 2009 00:02:07 +0000
with message-id <e1lwpuh-00017e...@ries.debian.org>
and subject line Bug#524915: fixed in ghostscript 8.64~dfsg-1.1
has caused the Debian Bug report #524915,
regarding ghostscript: CVE-2009-0792 multiple integer overflows in icc library
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
524915: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524915
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ghostscript
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.

CVE-2009-0792[0]:
| Multiple integer overflows in icc.c in the International Color
| Consortium (ICC) Format library (aka icclib), as used in Ghostscript
| 8.64 and earlier and Argyll Color Management System (CMS) 1.0.3 and
| earlier, allow context-dependent attackers to cause a denial of
| service (heap-based buffer overflow and application crash) or possibly
| execute arbitrary code by using a device file for a translation
| request that operates on a crafted image file and targets a certain
| "native color space," related to an ICC profile in a (1) PostScript or
| (2) PDF file with embedded images.  NOTE: this issue exists because of
| an incomplete fix for CVE-2009-0583.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Patch attached.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792
    http://security-tracker.debian.net/tracker/CVE-2009-0792

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0792 ghostscript-8.63/icclib/icc.c
--- ghostscript-8.63/icclib/icc.c.CVE-2009-0792	2009-04-15 16:37:49.000000000 +0100
+++ ghostscript-8.63/icclib/icc.c	2009-04-15 16:38:00.000000000 +0100
@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd(
 			rv |= 1;
 		}
 		ix = (int)floor(val);		/* Coordinate */
-		if (ix > (p->size-2))
+		if (ix < 0 || ix > (p->size-2))
 			ix = (p->size-2);
 		w = val - (double)ix;		/* weight */
 		val = p->data[ix];
@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd(
 ) {
 	int i;
 
+	if (size > INT_MAX - 2)
+		/* Although rt->size is unsigned long, the rt data
+		 * structure uses int data types to store indices. */
+		return 2;
+
 	rt->size = size;		/* Stash pointers to these away */
 	rt->data = data;
 	
@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd(
 	rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin);	/* Scale factor to quantize to */
 	
 	/* Initialize the reverse lookup structures, and get overall min/max */
-	if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
+	if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
 		return 2;
 	}
 
@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd(
 			int t;
 			t = s; s = e; e = t;
 		}
+		/* s and e should both be in the range [0,rt->rsize]
+		 * now, but let's not rely on floating point
+		 * calculations -- double-check. */
+		if (s < 0)
+			s = 0;
+		if (e < 0)
+			e = 0;
+		if (s >= rt->rsize)
+			s = rt->rsize-1;
 		if (e >= rt->rsize)
 			e = rt->rsize-1;
 
@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd(
 				as = rt->rlists[j][0];	/* Allocate space for this list */
 				nf = rt->rlists[j][1];	/* Next free location in list */
 				if (nf >= as) {			/* need to expand space */
+					if (as > INT_MAX / 2 / sizeof (int))
+						return 2;
+
 					as *= 2;
 					rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
 					if (rt->rlists[j] == NULL) {
@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd(
 		val = rsize_1;
 	ix = (int)floor(val);		/* Coordinate */
 
-	if (ix > (rt->size-2))
+	if (ix < 0 || ix > (rt->size-2))
 		ix = (rt->size-2);
 	if (rt->rlists[ix] != NULL)  {		/* There is a list of fwd candidates */
 		/* For each candidate forward range */
@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd(
 	/* We have failed to find an exact value, so return the nearest value */
 	/* (This is slow !) */
 	val = fabs(ival - rt->data[0]);
+	/* rt->size is known to be < INT_MAX */
 	for (k = 0, i = 1; i < rt->size; i++) {
 		double er;
 		er = fabs(ival - rt->data[i]);
@@ -3671,7 +3689,7 @@ static int icmData_allocate(
 	if (p->size != p->_size) {
 		if (p->data != NULL)
 			icp->al->free(icp->al, p->data);
-		if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
+		if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
 			sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
 			return icp->errc = 2;
 		}
@@ -3887,7 +3905,7 @@ static int icmText_allocate(
 	if (p->size != p->_size) {
 		if (p->data != NULL)
 			icp->al->free(icp->al, p->data);
-		if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+		if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
 			sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
 			return icp->errc = 2;
 		}
@@ -4301,7 +4319,7 @@ double *in		/* Input array[inputChan] */
 			rv |= 1;
 		}
 		ix = (int)floor(val);		/* Grid coordinate */
-		if (ix > (p->inputEnt-2))
+		if (ix < 0 || ix > (p->inputEnt-2))
 			ix = (p->inputEnt-2);
 		w = val - (double)ix;		/* weight */
 		val = table[ix];
@@ -4360,7 +4378,7 @@ double *in		/* Input array[outputChan] *
 				rv |= 1;
 			}
 			x = (int)floor(val);		/* Grid coordinate */
-			if (x > clutPoints_2)
+			if (x < 0 || x > clutPoints_2)
 				x = clutPoints_2;
 			co[e] = val - (double)x;	/* 1.0 - weight */
 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
@@ -4433,7 +4451,7 @@ double *in		/* Input array[outputChan] *
 				rv |= 1;
 			}
 			x = (int)floor(val);		/* Grid coordinate */
-			if (x > clutPoints_2)
+			if (x < 0 || x > clutPoints_2)
 				x = clutPoints_2;
 			co[e] = val - (double)x;	/* 1.0 - weight */
 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
@@ -4506,7 +4524,7 @@ double *in		/* Input array[outputChan] *
 			rv |= 1;
 		}
 		ix = (int)floor(val);		/* Grid coordinate */
-		if (ix > (p->outputEnt-2))
+		if (ix < 0 || ix > (p->outputEnt-2))
 			ix = (p->outputEnt-2);
 		w = val - (double)ix;		/* weight */
 		val = table[ix];
@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate(
 	if (p->size != p->_size) {
 		if (p->desc != NULL)
 			icp->al->free(icp->al, p->desc);
-		if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+		if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
 			sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
 			return icp->errc = 2;
 		}
@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate(
 	if (p->size != p->_size) {
 		if (p->string != NULL)
 			icp->al->free(icp->al, p->string);
-		if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+		if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
 			sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
 			return icp->errc = 2;
 		}
@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate(
 	if (p->ppsize != p->_ppsize) {
 		if (p->ppname != NULL)
 			icp->al->free(icp->al, p->ppname);
-		if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
+		if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
 			sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
 			return icp->errc = 2;
 		}
@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate(
 		if (p->crdsize[t] != p->_crdsize[t]) {
 			if (p->crdname[t] != NULL)
 				icp->al->free(icp->al, p->crdname[t]);
-			if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
+			if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
 				sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
 				return icp->errc = 2;
 			}

Attachment: pgpmBZTqz0vgC.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: ghostscript
Source-Version: 8.64~dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-doc_8.64~dfsg-1.1_all.deb
  to pool/main/g/ghostscript/ghostscript-doc_8.64~dfsg-1.1_all.deb
ghostscript-x_8.64~dfsg-1.1_amd64.deb
  to pool/main/g/ghostscript/ghostscript-x_8.64~dfsg-1.1_amd64.deb
ghostscript_8.64~dfsg-1.1.diff.gz
  to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1.1.diff.gz
ghostscript_8.64~dfsg-1.1.dsc
  to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1.1.dsc
ghostscript_8.64~dfsg-1.1_amd64.deb
  to pool/main/g/ghostscript/ghostscript_8.64~dfsg-1.1_amd64.deb
gs-aladdin_8.64~dfsg-1.1_all.deb
  to pool/main/g/ghostscript/gs-aladdin_8.64~dfsg-1.1_all.deb
gs-common_8.64~dfsg-1.1_all.deb
  to pool/main/g/ghostscript/gs-common_8.64~dfsg-1.1_all.deb
gs-esp_8.64~dfsg-1.1_all.deb
  to pool/main/g/ghostscript/gs-esp_8.64~dfsg-1.1_all.deb
gs-gpl_8.64~dfsg-1.1_all.deb
  to pool/main/g/ghostscript/gs-gpl_8.64~dfsg-1.1_all.deb
gs_8.64~dfsg-1.1_all.deb
  to pool/main/g/ghostscript/gs_8.64~dfsg-1.1_all.deb
libgs-dev_8.64~dfsg-1.1_amd64.deb
  to pool/main/g/ghostscript/libgs-dev_8.64~dfsg-1.1_amd64.deb
libgs8_8.64~dfsg-1.1_amd64.deb
  to pool/main/g/ghostscript/libgs8_8.64~dfsg-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 524...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Apr 2009 00:19:51 +0200
Source: ghostscript
Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x 
ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.64~dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mha...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - 
Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display 
suppor
 gs         - Transitional package
 gs-aladdin - Transitional package
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 522416 524803 524915
Changes: 
 ghostscript (8.64~dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes various security issues:
     - CVE-2009-0792: multiple integer overflows in the icc library
       can cause a heap-based buffer overflow possibly leading to arbitray
       code execution.
     - CVE-2009-0584/CVE-2009-0583: Multiple integer overflows causing an
       application crash or possibly arbitrary code execution.
     - CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict()
       leading to arbitrary code execution via a crafted JBIG2 symbol
       dictionary segment.
       .
       (Closes: #524915, #522416, #524803)
Checksums-Sha1: 
 48bc19b292ba7fb13834b44605fd9cb5159494a4 1658 ghostscript_8.64~dfsg-1.1.dsc
 ee96233f4e4193fa02b59fcca02dc6520cc4669a 85786 
ghostscript_8.64~dfsg-1.1.diff.gz
 edab987df5b0e64fba7f8ebd8e8289ceb407351d 30578 gs_8.64~dfsg-1.1_all.deb
 4a44c06643c3ff2bc3057ba0c65371d706f489ec 30580 gs-esp_8.64~dfsg-1.1_all.deb
 27b3d212393054e351853a33d3c1430c5bfc6b8c 30584 gs-gpl_8.64~dfsg-1.1_all.deb
 4c63ee50c2f8711e86a9a83916f52861623d67b5 30586 gs-aladdin_8.64~dfsg-1.1_all.deb
 ca04fe4286efe55cd2e13819aa0e8ac2b746ff30 30838 gs-common_8.64~dfsg-1.1_all.deb
 70642368aa4ee1f48ca6042e37e763f279515726 2967238 
ghostscript-doc_8.64~dfsg-1.1_all.deb
 41e5bd0f754230194f52a9833e3bfc85a15bb77f 770316 
ghostscript_8.64~dfsg-1.1_amd64.deb
 e238145504a7dd3143d282edfdd42819f0ab931f 64714 
ghostscript-x_8.64~dfsg-1.1_amd64.deb
 ebe85b907136c30925520e65094568ee1cfd6450 2399198 libgs8_8.64~dfsg-1.1_amd64.deb
 3974e4cceb13266505e0b5e5b849c838747d052e 38346 
libgs-dev_8.64~dfsg-1.1_amd64.deb
Checksums-Sha256: 
 0d4bae2b02705659308f06527343ea8c269be555de6d52410201f9da3a2caf7b 1658 
ghostscript_8.64~dfsg-1.1.dsc
 4828b4680c4d897c06ed8d895004cb7eae50bd5a0d2970a17c34f197e65d86e3 85786 
ghostscript_8.64~dfsg-1.1.diff.gz
 8c8c43a820fa897ebd0e990d30feebdc283c5873c0eef75caa9da720271dcd91 30578 
gs_8.64~dfsg-1.1_all.deb
 7209fa298a4ab6ee84a5affd53ef3cb006d49f4311eaca9043beac605b199fce 30580 
gs-esp_8.64~dfsg-1.1_all.deb
 0c0a2fe0b4cbd1ecbb8adcd1dfb9d2d5afee08d54189aaa2c593c87cc3d8e515 30584 
gs-gpl_8.64~dfsg-1.1_all.deb
 5379d214ea23c3e182cdfa4e4e1ee793a23754a47083ab2042e228dfa77d9de5 30586 
gs-aladdin_8.64~dfsg-1.1_all.deb
 c3469692907c6afff25b6ff6a22a0fa778fea1238d136c6c6cbe98ed84fab3ab 30838 
gs-common_8.64~dfsg-1.1_all.deb
 4c076b69eb93f9635e2ea4343e6c92be3976aa15880b509cbf70a042d2943ea8 2967238 
ghostscript-doc_8.64~dfsg-1.1_all.deb
 c15e453acfab7a233e805356c631bdf341c6dc501dae4a8ca9f24ffb3ea07d8d 770316 
ghostscript_8.64~dfsg-1.1_amd64.deb
 4726ff1be484e4b29d01b863964cf6e3a2fc51eb0620dbe3e6d73b9828c8e4a1 64714 
ghostscript-x_8.64~dfsg-1.1_amd64.deb
 a51cdf7a3dcddead8db46225a65eccf17c04fafc34e07b9df19074ddf4c3e852 2399198 
libgs8_8.64~dfsg-1.1_amd64.deb
 e45c54461b6d74462acbef5db96a2575d24f0c4f5923f1c523b446d3ba15a068 38346 
libgs-dev_8.64~dfsg-1.1_amd64.deb
Files: 
 2cb5e199d8a542bb9fe2491d199a5a37 1658 text optional 
ghostscript_8.64~dfsg-1.1.dsc
 b75e64ce81ee96df3bc296730685cf5b 85786 text optional 
ghostscript_8.64~dfsg-1.1.diff.gz
 4d8696d211e330dc102e5859a1d22482 30578 text extra gs_8.64~dfsg-1.1_all.deb
 4575e835cf84f61e85b095ef14d18555 30580 text extra gs-esp_8.64~dfsg-1.1_all.deb
 3ea99fcaddc2f57305e17542f8e7f0eb 30584 text extra gs-gpl_8.64~dfsg-1.1_all.deb
 a19a2211a52c7799d9d97b42da6682b8 30586 text extra 
gs-aladdin_8.64~dfsg-1.1_all.deb
 226ec96efd4510e42e24ca53d9e59da2 30838 text extra 
gs-common_8.64~dfsg-1.1_all.deb
 c1cf9564b59d349b1bb7979737f1fbd1 2967238 doc optional 
ghostscript-doc_8.64~dfsg-1.1_all.deb
 ade92597066cd987a7d209f30d1d2bdd 770316 text optional 
ghostscript_8.64~dfsg-1.1_amd64.deb
 b81e7b7f7cb796b475237d1ac52d8c55 64714 text optional 
ghostscript-x_8.64~dfsg-1.1_amd64.deb
 4666898f5ed8171fd479d7993d50c893 2399198 libs optional 
libgs8_8.64~dfsg-1.1_amd64.deb
 645ec9793b135975b5873505a3814f83 38346 libdevel optional 
libgs-dev_8.64~dfsg-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknuXAwACgkQHYflSXNkfP/PZgCcCJUOXQGeIYGgl9CWPgipjSqT
Cd8AoLcpA3a5GTwICRXJ+efN7aXf3Huf
=AVIk
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to