** Changed in: ghostscript (Ubuntu)
     Assignee: (unassigned) => Skymathrix (asstaroid)

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to ghostscript in Ubuntu.

  Multiple memory corruption vulnerabilities in Ghostscript

Status in GS-GPL:
  Fix Released
Status in ghostscript package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: ghostscript

  I have discovered multiple memory corruption vulnerabilities in
  Ghostscript, which can be triggered when using Ghostscript to view
  maliciously crafted PostScript files.

  1.  The Ghostscript interpreter fails to properly handle some cases of
  infinite recursion.  By creating a .ps file with a sequence such as:

  /A{pop 0 A 0} bind def
  /product A 0

  The interpreter's internal stack will be overflowed with recursive
  calls.  Rather than gracefully handling this situation, the
  interpreter continues execution by jumping to an (usually invalid)
  address near (or past) the tail end of the stack.  Without further
  manipulation, this would simply result in a segfault, but it turns out
  that by altering the number of variable definitions that occur before
  the call to the infinitely recursive procedure, the user can actually
  exert control over the address that is jumped to.  Combined with the
  fact that the attacker has an easy way to introduce shellcode (via the
  .ps file), this can definitely result in arbitrary code execution.  I
  have not developed a fully functional exploit for this case, but the
  attached reproducer ("infinite.ps") will trigger a segfault in the
  same location on all of the versions of Ghostscript I have tested,
  including 8.61, 8.62, 8.64, and 8.70.  If you wish to more
  convincingly verify that this is exploitable, place varying amounts of
  "/A{ 0 } bind def" strings at the beginning of the file, and observe
  how the EIP at crash time is altered.  Unfortunately, the Ghostscript
  code is rather complex, so I am unable to determine the root cause of
  this vulnerability in the source.

  2.  Ghostscript fails to properly parse very long identifiers, leading
  to memory corruption and potentially arbitrary code execution.  The
  resulting behavior depends on the version of Ghostscript.  I have
  found that 8.61 (Hardy) is not vulnerable.  However, 8.64 (Jaunty) is
  vulnerable and exploitable.  I haven't been able to pin down the exact
  cause for the overflow, but the exploitable memory access occurs in
  gc_objects_clear_marks(), in psi/igc.c, when *(pre + 1) is called as a
  function.  8.70 (Karmic) is also vulnerable to an overflow when
  parsing very long identifiers, but this time, rather than an invalid
  (exploitable) function pointer call, the issue is a classic stack
  overflow.  The overflow occurs due to a bad memcpy() call in
  dynamic_save(), called in scan_token() in psi/iscan.c at line 1061.
  Successful exploitation is mitigated by SSP - it catches the overflow
  and terminates - so on Karmic this should only result in denial of

  The attached reproducer ("overflow.ps") will trigger overflows in both
  8.64 and 8.70 due to the different reasons described above.

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to