CVE-2009-4270: Stack-based buffer overflow in the errprintf function

Debian Bug report logs - #562643
CVE-2009-4270: Stack-based buffer overflow in the errprintf function

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-4270: Stack-based buffer overflow in the errprintf function

Date: Sat, 26 Dec 2009 19:14:18 +0100

Package: ghostscript
Version: 8.70~dfsg-2
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.

CVE-2009-4270[0]:
| Stack-based buffer overflow in the errprintf function in base/gsmisc.c
| in ghostscript 8.64 through 8.70 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| crafted PDF file, as originally reported for debug logging code in
| gdevcups.c in the CUPS output driver.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4270
    http://security-tracker.debian.org/tracker/CVE-2009-4270


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAks2UncACgkQNxpp46476aqmhQCfZqFp5DcZ+MCssaojRwCoOouL
ywAAnj1EEYZDyd25UqAL391PEpxUnHLR
=pecB
-----END PGP SIGNATURE-----

Message #12 received at 562643@bugs.debian.org (full text, mbox, reply):

From: Andreas Kirschbaum <kirschbaum@in-medias-res.com>

To: 562643@bugs.debian.org

Subject: Patch to fix security issues

Date: Sat, 23 Jan 2010 10:56:09 +0100

[Message part 1 (text/plain, inline)]

The attached patch fixes this security issue and similar issues in
outprintf() and gs_throw_imp().

The patch also applies to ghostscript-8.62.dfsg.1 (lenny version) except
that the source file is src/gsmisc.c instead of base/gsmisc.c.

[ghostscript_8.70~dfsg-2.1.diff (text/x-diff, attachment)]

Message #17 received at 562643-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Kirschbaum <kirschbaum@in-medias-res.com>

To: 562643-close@bugs.debian.org

Subject: Bug#562643: fixed in ghostscript 8.70~dfsg-2.1

Date: Sat, 23 Jan 2010 15:42:01 +0000

Source: ghostscript
Source-Version: 8.70~dfsg-2.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-cups_8.70~dfsg-2.1_amd64.deb
  to main/g/ghostscript/ghostscript-cups_8.70~dfsg-2.1_amd64.deb
ghostscript-doc_8.70~dfsg-2.1_all.deb
  to main/g/ghostscript/ghostscript-doc_8.70~dfsg-2.1_all.deb
ghostscript-x_8.70~dfsg-2.1_amd64.deb
  to main/g/ghostscript/ghostscript-x_8.70~dfsg-2.1_amd64.deb
ghostscript_8.70~dfsg-2.1.diff.gz
  to main/g/ghostscript/ghostscript_8.70~dfsg-2.1.diff.gz
ghostscript_8.70~dfsg-2.1.dsc
  to main/g/ghostscript/ghostscript_8.70~dfsg-2.1.dsc
ghostscript_8.70~dfsg-2.1_amd64.deb
  to main/g/ghostscript/ghostscript_8.70~dfsg-2.1_amd64.deb
gs-common_8.70~dfsg-2.1_all.deb
  to main/g/ghostscript/gs-common_8.70~dfsg-2.1_all.deb
gs-esp_8.70~dfsg-2.1_all.deb
  to main/g/ghostscript/gs-esp_8.70~dfsg-2.1_all.deb
gs-gpl_8.70~dfsg-2.1_all.deb
  to main/g/ghostscript/gs-gpl_8.70~dfsg-2.1_all.deb
libgs-dev_8.70~dfsg-2.1_amd64.deb
  to main/g/ghostscript/libgs-dev_8.70~dfsg-2.1_amd64.deb
libgs8_8.70~dfsg-2.1_amd64.deb
  to main/g/ghostscript/libgs8_8.70~dfsg-2.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 562643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Kirschbaum <kirschbaum@in-medias-res.com> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 23 Jan 2010 10:19:35 +0100
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.70~dfsg-2.1
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Andreas Kirschbaum <kirschbaum@in-medias-res.com>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS filters
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 562643
Changes: 
 ghostscript (8.70~dfsg-2.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Fix some security issues:
      - CVE-2009-4270[0]: stack-based buffer overflow multiple integer
        overflows in the icc library (closes: #562643)
      - fix possible buffer overflow in gs_throw_imp()
Checksums-Sha1: 
 73f8ab9b80bbee7797728b9ad8b5ab26974c1120 1763 ghostscript_8.70~dfsg-2.1.dsc
 dc350dee9b7cdacf240fe2227982ab44185f939b 154859 ghostscript_8.70~dfsg-2.1.diff.gz
 53b946b1bfb3ae45da4c897ee87540a5241e6fe4 42498 gs-esp_8.70~dfsg-2.1_all.deb
 eecb5d826acd71dc671b0fe63eda8c05769e508f 42496 gs-gpl_8.70~dfsg-2.1_all.deb
 fce5686354e442417f32ad7dc13e0b1c14101c8f 42526 gs-common_8.70~dfsg-2.1_all.deb
 089da1ec2dda2bcf286a3577217e7c67b8c80c91 3063686 ghostscript-doc_8.70~dfsg-2.1_all.deb
 17748a0945c67d900cc7145c3a4f9f91f689d213 771798 ghostscript_8.70~dfsg-2.1_amd64.deb
 39047e30dc0f2b0ad7cb8521b6964908bec02ee7 57650 ghostscript-cups_8.70~dfsg-2.1_amd64.deb
 b080366b17764062a40735405b9453b3010c9285 76796 ghostscript-x_8.70~dfsg-2.1_amd64.deb
 b66c8d416414bac2820d0e15c16dc3f8374a441f 2200316 libgs8_8.70~dfsg-2.1_amd64.deb
 67d8ca7a55557963f10da1bfb984c4c9765d56ae 2783356 libgs-dev_8.70~dfsg-2.1_amd64.deb
Checksums-Sha256: 
 5d78f24b4bb808076f1a86f4a465a3f59e7dd30b1ba7c5b679da885e60054cca 1763 ghostscript_8.70~dfsg-2.1.dsc
 519a100d2325f8d3da24ad6d2febd4a84ff38721ba805482eebb23e14946c98f 154859 ghostscript_8.70~dfsg-2.1.diff.gz
 4905951b1af0a1a5e366cbd9431bcdc86fc339245e0935d8a5992d1401b4ad84 42498 gs-esp_8.70~dfsg-2.1_all.deb
 532d69591e584fef38eb11c7e8d584b39903d745acefb5e0f969eecacc8f4cc7 42496 gs-gpl_8.70~dfsg-2.1_all.deb
 352823e9de425d9090b5bdc987c205b11f666c36e7759b4a0d3e9a623d737d3c 42526 gs-common_8.70~dfsg-2.1_all.deb
 b5e8adaa0fb627a708381b9ccffdd01628786e06f83821ea3e4e7743ddb0c6ef 3063686 ghostscript-doc_8.70~dfsg-2.1_all.deb
 fb0cfd8e1ff136660cb1826ad0e6476c34fee68a98400ccc1c506cca14d96232 771798 ghostscript_8.70~dfsg-2.1_amd64.deb
 0c4882e519512dadc66369fe8aab7c3f079cf0e874bcbe04c51506b43cb45cbd 57650 ghostscript-cups_8.70~dfsg-2.1_amd64.deb
 d1eab65dadec50165b849a413a4cc61012fcfcd5205dd4200ae0cd144f6693ea 76796 ghostscript-x_8.70~dfsg-2.1_amd64.deb
 1631bd76ae62bf0d23a61a56790e80a1f1a6adda2e55447aff5a28bd09fdb8b1 2200316 libgs8_8.70~dfsg-2.1_amd64.deb
 b8e6c1e0a87db45246ed3664d9d41efed751c765bf8d1875718fbe1e3071cb14 2783356 libgs-dev_8.70~dfsg-2.1_amd64.deb
Files: 
 2641b64e89a8451ce4bf01655a238b18 1763 text optional ghostscript_8.70~dfsg-2.1.dsc
 8e9d125e8f2692ab11b1c462cb807704 154859 text optional ghostscript_8.70~dfsg-2.1.diff.gz
 331336b9fc81d42fb65ef1d1abbf06ee 42498 text extra gs-esp_8.70~dfsg-2.1_all.deb
 9f762d4da0553a87fa8a3b250268cfe4 42496 text extra gs-gpl_8.70~dfsg-2.1_all.deb
 e9a370a47ec3dcf51a525528eece2b64 42526 text extra gs-common_8.70~dfsg-2.1_all.deb
 f4bcd923c19743ec32806611adad398b 3063686 doc optional ghostscript-doc_8.70~dfsg-2.1_all.deb
 5b03d9e93d0fa1b0746424cdeb13f7ed 771798 text optional ghostscript_8.70~dfsg-2.1_amd64.deb
 9d4d835d2f920d4a4b4e1e652f23b820 57650 text optional ghostscript-cups_8.70~dfsg-2.1_amd64.deb
 777c3e4199fd12f28168877b2b38c9a0 76796 text optional ghostscript-x_8.70~dfsg-2.1_amd64.deb
 89dca72f62217f73412164fac2d233e5 2200316 libs optional libgs8_8.70~dfsg-2.1_amd64.deb
 4af2a1f9db08710c8b2a210199baee17 2783356 libdevel optional libgs-dev_8.70~dfsg-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkta8CgACgkQbdB4RPTVesqcoQCdFbv7+oqelUuMc9aF8l+csmia
36UAn2YzN02hC648Z++3tvnXteUhhJsK
=lDtT
-----END PGP SIGNATURE-----

Message #22 received at 562643-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>

To: 562643-close@bugs.debian.org

Subject: Bug#562643: fixed in ghostscript 8.71~dfsg-1

Date: Tue, 16 Feb 2010 04:17:42 +0000

Source: ghostscript
Source-Version: 8.71~dfsg-1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-cups_8.71~dfsg-1_amd64.deb
  to main/g/ghostscript/ghostscript-cups_8.71~dfsg-1_amd64.deb
ghostscript-doc_8.71~dfsg-1_all.deb
  to main/g/ghostscript/ghostscript-doc_8.71~dfsg-1_all.deb
ghostscript-x_8.71~dfsg-1_amd64.deb
  to main/g/ghostscript/ghostscript-x_8.71~dfsg-1_amd64.deb
ghostscript_8.71~dfsg-1.debian.tar.gz
  to main/g/ghostscript/ghostscript_8.71~dfsg-1.debian.tar.gz
ghostscript_8.71~dfsg-1.dsc
  to main/g/ghostscript/ghostscript_8.71~dfsg-1.dsc
ghostscript_8.71~dfsg-1_amd64.deb
  to main/g/ghostscript/ghostscript_8.71~dfsg-1_amd64.deb
ghostscript_8.71~dfsg.orig.tar.gz
  to main/g/ghostscript/ghostscript_8.71~dfsg.orig.tar.gz
gs-common_8.71~dfsg-1_all.deb
  to main/g/ghostscript/gs-common_8.71~dfsg-1_all.deb
gs-esp_8.71~dfsg-1_all.deb
  to main/g/ghostscript/gs-esp_8.71~dfsg-1_all.deb
gs-gpl_8.71~dfsg-1_all.deb
  to main/g/ghostscript/gs-gpl_8.71~dfsg-1_all.deb
libgs-dev_8.71~dfsg-1_amd64.deb
  to main/g/ghostscript/libgs-dev_8.71~dfsg-1_amd64.deb
libgs8_8.71~dfsg-1_amd64.deb
  to main/g/ghostscript/libgs8_8.71~dfsg-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 562643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Mon, 15 Feb 2010 23:39:11 +0100
Source: ghostscript
Binary: ghostscript gs-esp gs-gpl gs-common ghostscript-cups ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all amd64
Version: 8.71~dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-cups - The GPL Ghostscript PostScript/PDF interpreter - CUPS filters
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs-common  - Dummy package depending on ghostscript
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 520215 546017 562643
Changes: 
 ghostscript (8.71~dfsg-1) unstable; urgency=low
 .
   * New upstream release.
   * Acknowledge NMU. Closes: bug#562643, thanks to Andreas Kirschbaum.
   * No longer strip Resource/Font dir when DFSG-repackaging source (GPL-
     licensed since 8.63). Closes: bug#520215, thanks to Fabian
     Greffrath.
   * Update local CDBS snippets:
     + package-relations.mk:
       - Merge mixture of versioned and unversioned dependencies
       - Use unversioned dependencies when satisfied in oldstable
       - Improve whitespace cleanup
       - Rewrite and silence applying dependencies
       - Handle cdbs 0.4.53 dependency (needed when using debhelper v7)
     + upstream-tarball.mk:
       - Depend unversioned on cdbs (the needed 0.4.39 is in oldstable)
       - Preserve bzip2 tarballs with source format '3.0 (quilt)'.
     + copyright-check.mk:
       - More aggressive scanning (check top 99999 lines, not just 60)
       - Simplify more licensing notices and preserve non-ASCII chars
       - Group hints by sorted owner list (ignoring years)
       - Limit console output both horisontally and vertically
       - Use rev123 of draft DEP5 for hints file
   * Use source format 3.0 "quilt" (and not patchsys-quit.mk). Update
     README.source: normal builds need no special handling now.
   * Add patches:
     + 1009 (Ubuntu): Fix build gs as executable (not shared library)
     + 0743 (Upstream): Fix pdfwrite UTF16-BE pdfmarks not garbling XMP
       metadata
     + 0748 (Upstream): Fix nested ICCBased colour processing
     + 0749 (Upstream): Fix a few minor compile warnings
   * Refresh patches, and reorder to apply in numerical order.
   * Rewrite copyright file using draft DEP5 format: All earlier
     information preserved, but also many new discoveries (some yet
     incomplete - tagged FIXME in the file).
   * Build-depend on libtiff-dev and enable use of libtiff.
   * Update symbols files, and avoid Linux-only realloc symbol on Hurd
     (we currently do not maintain symbols files for other non-Linux
     archs). Closes: bug#546017, thanks to Pino Toscano.
   * Bump Standards-Version to 3.8.4.
Checksums-Sha1: 
 d150cad7d5c87eb210d6d35b52347fe8610ce040 1756 ghostscript_8.71~dfsg-1.dsc
 614430f9a325e5bad48e3780ab6a34b23ccd07d4 18980184 ghostscript_8.71~dfsg.orig.tar.gz
 06c2abf683637df22a5faa06f82a3a771b2ca34f 161117 ghostscript_8.71~dfsg-1.debian.tar.gz
 74e2dd1a5094af119c69f098caeb3a90579d4c0e 42050 gs-esp_8.71~dfsg-1_all.deb
 56721fcff865d8d78f216f9b625228b7b12a4601 42054 gs-gpl_8.71~dfsg-1_all.deb
 687f5de580abc684aec2dd72941af41381f37c76 42074 gs-common_8.71~dfsg-1_all.deb
 9ec0922264a65ce9147cbdb63bcc4c8b98c3fdec 3230696 ghostscript-doc_8.71~dfsg-1_all.deb
 99a2ebc64e49036c8d5d7e6aea6f88e30ae5d1a4 4099438 ghostscript_8.71~dfsg-1_amd64.deb
 ddff7b262600dbd5f46598cc888957b9a73c66bd 57074 ghostscript-cups_8.71~dfsg-1_amd64.deb
 a0455bc5a1d92cb1307594f1af825177ec1bea3d 76680 ghostscript-x_8.71~dfsg-1_amd64.deb
 dbec11c46cddb6ef9d9bab53dc4025b331bd1429 2230154 libgs8_8.71~dfsg-1_amd64.deb
 2ca4f8fd631127ec842d35c3fc03ef7c6159a44e 2816328 libgs-dev_8.71~dfsg-1_amd64.deb
Checksums-Sha256: 
 0ffe29f99470607cd3bf3f7a61e3b58095a7b0ee92870f87adf27564f4600146 1756 ghostscript_8.71~dfsg-1.dsc
 3def4ed1176cab25c71947f02de2fbca42292498698a7b1deb0b0b68ffc14a20 18980184 ghostscript_8.71~dfsg.orig.tar.gz
 4771766b9ffbe9eec5bdcfca37508c9bab3c70546094dfbf5052dbef6dd39eeb 161117 ghostscript_8.71~dfsg-1.debian.tar.gz
 cab39fd9c85851dbf748d3150339286775bc75cdf4dc4f94588b54ef5a64cbc0 42050 gs-esp_8.71~dfsg-1_all.deb
 17017027b4907118bb58093e1bdc56e4001a1753f282aab1c5fd0af23eac9baf 42054 gs-gpl_8.71~dfsg-1_all.deb
 0accbb12c7375589720034c993bbf35a8cf0a413c7902a3dce947dd010909de5 42074 gs-common_8.71~dfsg-1_all.deb
 d0b3c1e0df5c10a8b592424a382b4b8637a6fa605552344ae10ed40fa7a596c5 3230696 ghostscript-doc_8.71~dfsg-1_all.deb
 b19f6c90d0d8693b14b75dea696e2587929e52c3537eac2788b2703adaafdbf1 4099438 ghostscript_8.71~dfsg-1_amd64.deb
 a0fb7d60c41542aa8a8e26715624a573166cb3d60571db70a5878ab93c0c7327 57074 ghostscript-cups_8.71~dfsg-1_amd64.deb
 578672b4f34964ae05ff4b7884b1728890d46f9ccda7b29dd4b5d94e0d9fc3cd 76680 ghostscript-x_8.71~dfsg-1_amd64.deb
 09c2dea88928b26f324d9823a6f632c3dd49ede06c7ddd8970c4b149d3041b71 2230154 libgs8_8.71~dfsg-1_amd64.deb
 4e55d374935de6996a8529ff08ac40478edbcc60fb3aedb6e2258b4a770ed25a 2816328 libgs-dev_8.71~dfsg-1_amd64.deb
Files: 
 f34f6d1273115482f27eafd92ccdaa61 1756 text optional ghostscript_8.71~dfsg-1.dsc
 f3eb57e0ae650602601190f198d84410 18980184 text optional ghostscript_8.71~dfsg.orig.tar.gz
 4c086c7cf677a602b000921c42016a9e 161117 text optional ghostscript_8.71~dfsg-1.debian.tar.gz
 0d5ea9be8be68916d6b2ebb9357e28a1 42050 text extra gs-esp_8.71~dfsg-1_all.deb
 1b51df1491cf8ce18478577cb3ee1f35 42054 text extra gs-gpl_8.71~dfsg-1_all.deb
 bba7f637dc6b0c45016fc8e660e3b225 42074 text extra gs-common_8.71~dfsg-1_all.deb
 86037878d490efa8071f642d6250c549 3230696 doc optional ghostscript-doc_8.71~dfsg-1_all.deb
 58969b5d254643731b456706c5ce6de2 4099438 text optional ghostscript_8.71~dfsg-1_amd64.deb
 79c3b8a6cf5ae18e553133eb33fb473a 57074 text optional ghostscript-cups_8.71~dfsg-1_amd64.deb
 d1b7377dc0e11d4c45bdf8a528cbaefe 76680 text optional ghostscript-x_8.71~dfsg-1_amd64.deb
 7de6caa028fb62805b9334bbf91f97f9 2230154 libs optional libgs8_8.71~dfsg-1_amd64.deb
 47b0fd330f6fdb17f43bacc121339515 2816328 libdevel optional libgs-dev_8.71~dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAkt6FzAACgkQn7DbMsAkQLhRuQCdF4Vp7jmz5KEGStsBInT+GH0l
ywwAn3BXT1s0BeMpWSXfqbd8Q3RA9GFF
=J1O1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.