ghostscript: CVE-2008-0411 buffer overflow via crafted .ps file

Debian Bug report logs - #468190
ghostscript: CVE-2008-0411 buffer overflow via crafted .ps file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: ghostscript: CVE-2008-0411 buffer overflow via crafted .ps file

Date: Wed, 27 Feb 2008 16:34:29 +0100

[Message part 1 (text/plain, inline)]

Package: ghostscript
Version: 8.61.dfsg.1-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ghostscript.

CVE-2008-0411[0]:
| This advisory notes a stack-based buffer overflow in the zseticcspace()
| function in zicc.c. The issue is over-trust of the length of a postscript array
| which an attacker can set to an arbitrary length. One slight amusement is that
| the overflowed type is "float", leading to machine code -> float conversion in
| any exploit.

Mitre has not yet put any vulnerability text on their website.
In the meantime you can get a verbose description on:
http://scary.beasts.org/security/ea9fde3e0e58b7b6/CESA-2008-001.html

A patch is attached.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0411

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ghostscript-8.60-CESA-2008-001.diff (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #10 received at 468190@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 468190@bugs.debian.org

Subject: Changed advisory URL

Date: Wed, 27 Feb 2008 17:24:28 +0100

The permanent link to the advisory text:
http://scary.beasts.org/security/CESA-2008-001.html

Note that this issue has already been fixed in stable/oldstable in DSA-1510-1.

Message #15 received at 468190@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 468190@bugs.debian.org

Subject: intent to NMU

Date: Sat, 1 Mar 2008 11:52:51 +0100

[Message part 1 (text/plain, inline)]

Hi,
uploading a 0-day NMU to fix this as the maintainer is 
listed in the LowThresholdNmu list.

Attached is the patch to fix this.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/ghostscript-8.61.dfsg.1-1_8.61.dfsg.1-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ghostscript-8.61.dfsg.1-1_8.61.dfsg.1-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #20 received at 468190-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 468190-close@bugs.debian.org

Subject: Bug#468190: fixed in ghostscript 8.61.dfsg.1-1.1

Date: Sat, 01 Mar 2008 11:02:04 +0000

Source: ghostscript
Source-Version: 8.61.dfsg.1-1.1

We believe that the bug you reported is fixed in the latest version of
ghostscript, which is due to be installed in the Debian FTP archive:

ghostscript-doc_8.61.dfsg.1-1.1_all.deb
  to pool/main/g/ghostscript/ghostscript-doc_8.61.dfsg.1-1.1_all.deb
ghostscript-x_8.61.dfsg.1-1.1_i386.deb
  to pool/main/g/ghostscript/ghostscript-x_8.61.dfsg.1-1.1_i386.deb
ghostscript_8.61.dfsg.1-1.1.diff.gz
  to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1-1.1.diff.gz
ghostscript_8.61.dfsg.1-1.1.dsc
  to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1-1.1.dsc
ghostscript_8.61.dfsg.1-1.1_i386.deb
  to pool/main/g/ghostscript/ghostscript_8.61.dfsg.1-1.1_i386.deb
gs-aladdin_8.61.dfsg.1-1.1_all.deb
  to pool/main/g/ghostscript/gs-aladdin_8.61.dfsg.1-1.1_all.deb
gs-common_8.61.dfsg.1-1.1_all.deb
  to pool/main/g/ghostscript/gs-common_8.61.dfsg.1-1.1_all.deb
gs-esp_8.61.dfsg.1-1.1_all.deb
  to pool/main/g/ghostscript/gs-esp_8.61.dfsg.1-1.1_all.deb
gs-gpl_8.61.dfsg.1-1.1_all.deb
  to pool/main/g/ghostscript/gs-gpl_8.61.dfsg.1-1.1_all.deb
gs_8.61.dfsg.1-1.1_all.deb
  to pool/main/g/ghostscript/gs_8.61.dfsg.1-1.1_all.deb
libgs-dev_8.61.dfsg.1-1.1_i386.deb
  to pool/main/g/ghostscript/libgs-dev_8.61.dfsg.1-1.1_i386.deb
libgs8_8.61.dfsg.1-1.1_i386.deb
  to pool/main/g/ghostscript/libgs8_8.61.dfsg.1-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 468190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated ghostscript package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 01 Mar 2008 11:18:27 +0100
Source: ghostscript
Binary: ghostscript gs gs-esp gs-gpl gs-aladdin gs-common ghostscript-x ghostscript-doc libgs8 libgs-dev
Architecture: source all i386
Version: 8.61.dfsg.1-1.1
Distribution: unstable
Urgency: high
Maintainer: Masayuki Hatta (mhatta) <mhatta@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 ghostscript - The GPL Ghostscript PostScript/PDF interpreter
 ghostscript-doc - The GPL Ghostscript PostScript/PDF interpreter - Documentation
 ghostscript-x - The GPL Ghostscript PostScript/PDF interpreter - X Display suppor
 gs         - Transitional package
 gs-aladdin - Transitional package
 gs-common  - Transitional package
 gs-esp     - Transitional package
 gs-gpl     - Transitional package
 libgs-dev  - The Ghostscript PostScript Library - Development Files
 libgs8     - The Ghostscript PostScript/PDF interpreter Library
Closes: 468190
Changes: 
 ghostscript (8.61.dfsg.1-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * Fix stack based buffer overflow in the zseticcspace() function possibly
     leading to arbitrary code exeuction via a crafted ps file.
     (31_CVE-2008-0411.dpatch; Closes: #468190).
   * Adjusting libgs shlibs file to match the new version number.
Files: 
 4b13d5e051399481cc4f627a8e9a5e00 1075 text optional ghostscript_8.61.dfsg.1-1.1.dsc
 facf21877c387072d6c3a2942403b8c9 100431 text optional ghostscript_8.61.dfsg.1-1.1.diff.gz
 06a4fba09a1ad3466271c7730c9049d8 26318 text extra gs_8.61.dfsg.1-1.1_all.deb
 deda1d324e052b036389be84920ed323 26320 text extra gs-esp_8.61.dfsg.1-1.1_all.deb
 aa6a52b47b97b16cc109ca3aff0a7bbd 26318 text extra gs-gpl_8.61.dfsg.1-1.1_all.deb
 e5ceb8c4993e3ea9a0123141dc3a6809 26320 text extra gs-aladdin_8.61.dfsg.1-1.1_all.deb
 cf5e7d220594453bf2208bd48d288b40 26326 text extra gs-common_8.61.dfsg.1-1.1_all.deb
 5b8795861c2c1c3f58064f16ccd1eda3 2757942 doc optional ghostscript-doc_8.61.dfsg.1-1.1_all.deb
 2ca343539641651e42c04f6b9cb13edd 794260 text optional ghostscript_8.61.dfsg.1-1.1_i386.deb
 164952e1c8d85ca58cff776e893d69c9 58582 text optional ghostscript-x_8.61.dfsg.1-1.1_i386.deb
 ccdf6e61e0ce1ef563d0fd30f3dcd0e8 2193984 libs optional libgs8_8.61.dfsg.1-1.1_i386.deb
 a66592348519a92715d1c103872dd5c0 35042 libdevel optional libgs-dev_8.61.dfsg.1-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHyTWTHYflSXNkfP8RAqMEAJoCrC8YH6kqlKzWBG32QyXfKbQ5xQCfVkqm
eTg0nRXN5GXVRyHN4QHgksA=
=rZKj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.