** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Ghostscript's ICC Library integer overflows Description: The Ghostscript International Color Consortium Format Library (icclib), implementing support for the cross-platform device independent color profile format, is prone to multiple integer overflows and lacks multiple upper-bounds checks on certain variable sizes. Providing a malicious PostScript file with embedded images with specially-crafted ICC profiles could cause the Ghostscript (PostScript and PDF language interpreter and previewer) to crash, or, potentially, execute arbitrary code. Affected version: Ghostscript <= 8.64 CVE: CVE-2009-0583 Multiple integer overflows in the ICC Library CVE-2009-0584 Multiple insufficient upper-bounds checks on certain variable sizes in the ICC Library Credit: Jan Lieskovsky, <jlieskov [at] redhat [dot] com>, Red Hat Security Response Team Acknowledgements: To Chris Evans, <scarybeasts [at] gmail [dot] com> for reporting the original LittleCMS vulnerability and for Ghostscript's ICC library vulnerability presence confirmation. To Tim Waugh, <twaugh [at] redhat [dot] com> for Ghostscript's ICC library vulnerability presence confirmation and for providing patch for current 8.64 version. To Tomas Hoger <thoger [at] redhat [dot] com> for further patch analysis and review. Note: The provided patch should already address previous reservations about the LittleCMS patch (incorrect detection of integer overflows). Timeline: 2009-02-24: LittleCMS vulnerability report 2009-02-26: Ghostscript vulnerability identified, contacted LittleCMS vulnerability reporter and Ghostscript maintainer 2009-02-26: Vulnerability confirmed, initial solution proposal from maintainer 2009-02-27: Patch for current 8.64 version provided by maintainer 2009-03-02: Further patch review and improvements 2009-03-03: Other vendors contacted
This seems to affect all three ghostscript implementations we have in the tree, the patch applies to -gnu and -esp with fuzz.
Created attachment 183782 [details, diff] ghostscript-CVE-2009-0583.patch
Our target would be to prepare ebuilds for all three applications applying the patch (tgurr,pva?) and attach it to this bug report. Then we'll do prestable testing here.
ghostscript-esp must die as it was end of lifed more then year ago. I'll keyword -gpl on mips this evening and schedule removal and mask it today or this weekend. Tgurr if you have any objections tell me, please. (in bug 261434)
Created attachment 184125 [details] ghostscript-gpl-8.64-patchset-3.tar.bz2 Patchset for ghostscript-gpl. Drop it into /usr/portage/distfiles.
Created attachment 184127 [details] ghostscript-gpl-8.64-r2.ebuild updated ebuild. ghostscript-gnu will come with version bump a later today, after I test it.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug: =app-text/ghostscript-gpl-8.64-r2 Please make sure you note whether your tests are for ghostscript-gpl or ghostscript-gnu for easier reconstruction later on, thanks! Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76
(In reply to comment #4) > Tgurr if you have any objections tell me, please. (in bug 261434) ++. please do so. This is long overdue but I haven't had the time to check for possible impacts lately, seems like the best time to get rid of it now. I'd also raise the question about keeping ghostscript-gnu since upstream is quite some releases behind and noone @printing actively maintains -gnu these days. (In reply to comment #6) > updated ebuild Seems to miss an epatch line regarding the CVE patch. Thanks!
=app-text/ghostscript-gpl-8.64-r2 is OK for HPPA.
(In reply to comment #8) > (In reply to comment #4) > > Tgurr if you have any objections tell me, please. (in bug 261434) > > ++. please do so. This is long overdue but I haven't had the time to check for > possible impacts lately, seems like the best time to get rid of it now. I'd > also raise the question about keeping ghostscript-gnu since upstream is quite > some releases behind and noone @printing actively maintains -gnu these days. > > (In reply to comment #6) > > updated ebuild > Seems to miss an epatch line regarding the CVE patch. > > Thanks! > I don't see any difference between the attached ebuild and the ebuild for -r1 either. Is this really what you want?
Created attachment 184187 [details, diff] ghostscript-CVE-2009-0583.patch The patch has been revised, sorry for any additional workload. It contained a possible divison by zero before.
(In reply to comment #11) > Created an attachment (id=184187) [edit] > ghostscript-CVE-2009-0583.patch > > The patch has been revised, sorry for any additional workload. It contained a > possible divison by zero before. > I still don't see how it gets applied at all??? What am I missing?
(In reply to comment #12) > I still don't see how it gets applied at all??? What am I missing? My comment about the updated was targeted at maintainers -- the issue of either patch not actually being applied remains as well :-)
(In reply to comment #13) > (In reply to comment #12) > > I still don't see how it gets applied at all??? What am I missing? > > My comment about the updated was targeted at maintainers -- the issue of either > patch not actually being applied remains as well :-) > Thanks for clearing that up. I didn't understand what was going on and was confusing myself, I guess.
looks good on amd64/x86.
Created attachment 184259 [details] ghostscript-gpl-8.64-patchset-3.tar.bz2 Updated patchset with updated patch. Thank you Robert.
Created attachment 184260 [details] ghostscript-gpl-8.64-r2.ebuild Timo, Ferris you were right. I forgot to add epatch line (heh, how did I saw it correct patching line in output...). Well, in expiation with this revision I fixed not respecting LDFLAGS issue (bug #209803). Arch teams, please, test this new ebuild with updated patchset.
Created attachment 184271 [details] ghostscript-gnu-8.62.0.ebuild Finally ebuild for ghostscript-gnu-8.62.0.ebuild. To make it workable you need to download patch (attachment 184187 [details, diff] ghostscript-CVE-2009-0583.patch) and mv it into $FILESDIR/ghostscript-gnu-8.62.0-CVE-2009-0583.patch.
Created attachment 184273 [details, diff] ghostscript-gnu-8.62.0-LDFLAGS-strip.patch Also, for ghostscript-gnu-8.62.0.ebuild you need this patch inside $FILESDIR.
Embargo date has been pushed back to March 19, so we have a few more days to test.
Both apply the patches correctly and build on sparc. Preliminary checkout indicates that ghostscript-gpl-8.64-r2 is good, but I'll give it more testing over the next week before saying for sure. Unless I indicate otherwise, testing is with -gpl-8.64-r2.
(In reply to comment #17) > Created an attachment (id=184260) [edit] > ghostscript-gpl-8.64-r2.ebuild > Arch teams, please, test this new ebuild with updated patchset. HPPA is OK again.
Sparc is good for ghostscript-gpl-8.64-r2.ebuild. The ghostcscipt-gnu-8.62.0 variant does apply the patches correctly and does build cleanly.
app-text/ghostscript-gnu-8.62.0 is OK for HPPA.
This is now public. Please commit with the stable keywords as gathered in this bug.
ebuilds commited. I've not added amd64/x86 keywords, since packages were tested before patch/ebuilds updated. sparc I'm not sure about ghostscript-gnu: do you want to stabilized it? hppa, do you want to keyword ghostscript-gnu? Target keywords: ghostscript-gpl-8.64-r2: alpha amd64 arm ia64 ppc ppc64 s390 sh x86 app-text/ghostscript-gnu-8.62.0: ppc64
ppc64 done
ppc done
amd64/x86 stable
Stable on alpha.
GLSA request filed.
GLSA 200903-37
arm/ia64/s390/sh stable :D