Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 261087 (CVE-2009-0583)

Summary: app-text/ghostscript-* ICC Library integer overflows (CVE-2009-0583,CVE-2009-0584)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: fmccor, jer, printing, pva
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ghostscript-CVE-2009-0583.patch
none
ghostscript-gpl-8.64-patchset-3.tar.bz2
none
ghostscript-gpl-8.64-r2.ebuild
none
ghostscript-CVE-2009-0583.patch
none
ghostscript-gpl-8.64-patchset-3.tar.bz2
none
ghostscript-gpl-8.64-r2.ebuild
none
ghostscript-gnu-8.62.0.ebuild
none
ghostscript-gnu-8.62.0-LDFLAGS-strip.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 17:49:57 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Ghostscript's ICC Library integer overflows

Description:

  The Ghostscript International Color Consortium Format Library
(icclib), implementing support for the cross-platform device
independent color profile format, is prone to multiple integer
overflows and lacks multiple upper-bounds checks on certain variable
sizes. Providing a malicious PostScript file with embedded images with
specially-crafted ICC profiles could cause the Ghostscript (PostScript
and PDF language interpreter and previewer) to crash, or, potentially,
execute arbitrary code.

Affected version:

Ghostscript <= 8.64

CVE:

CVE-2009-0583 Multiple integer overflows in the ICC Library
CVE-2009-0584 Multiple insufficient upper-bounds checks on certain 
              variable sizes in the ICC Library

Credit:

Jan Lieskovsky, <jlieskov [at] redhat [dot] com>, Red Hat Security
Response Team

Acknowledgements:

To Chris Evans, <scarybeasts [at] gmail [dot] com> for reporting
the original LittleCMS vulnerability and for Ghostscript's
ICC library vulnerability presence confirmation.

To Tim Waugh, <twaugh [at] redhat [dot] com> for Ghostscript's
ICC library vulnerability presence confirmation and for 
providing patch for current 8.64 version.

To Tomas Hoger <thoger [at] redhat [dot] com> for further
patch analysis and review.

Note: 

The provided patch should already address previous 
reservations about the LittleCMS patch (incorrect detection
of integer overflows).

Timeline:
2009-02-24: LittleCMS vulnerability report
2009-02-26: Ghostscript vulnerability identified, contacted LittleCMS  
            vulnerability reporter and Ghostscript maintainer
2009-02-26: Vulnerability confirmed, initial solution proposal
            from maintainer
2009-02-27: Patch for current 8.64 version provided by maintainer
2009-03-02: Further patch review and improvements
2009-03-03: Other vendors contacted
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 17:51:57 UTC 
This seems to affect all three ghostscript implementations we have in the tree, the patch applies to -gnu and -esp with fuzz.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 17:52:30 UTC 
Created attachment 183782 [details, diff]
ghostscript-CVE-2009-0583.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 17:53:47 UTC 
Our target would be to prepare ebuilds for all three applications applying the patch (tgurr,pva?) and attach it to this bug report. Then we'll do prestable testing here.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2009-03-06 11:46:52 UTC 
ghostscript-esp must die as it was end of lifed more then year ago. I'll keyword -gpl on mips this evening and schedule removal and mask it today or this weekend.

Tgurr if you have any objections tell me, please. (in bug 261434)
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2009-03-06 11:59:20 UTC 
Created attachment 184125 [details]
ghostscript-gpl-8.64-patchset-3.tar.bz2

Patchset for ghostscript-gpl. Drop it into /usr/portage/distfiles.
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2009-03-06 12:00:49 UTC 
Created attachment 184127 [details]
ghostscript-gpl-8.64-r2.ebuild

updated ebuild. ghostscript-gnu will come with version bump a later today, after I test it.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-03-06 12:16:07 UTC 
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug:
=app-text/ghostscript-gpl-8.64-r2

Please make sure you note whether your tests are for ghostscript-gpl or ghostscript-gnu for easier reconstruction later on, thanks!

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 8 Timo Gurr (RETIRED) gentoo-dev 2009-03-06 12:19:21 UTC 
(In reply to comment #4)
> Tgurr if you have any objections tell me, please. (in bug 261434)

++. please do so. This is long overdue but I haven't had the time to check for possible impacts lately, seems like the best time to get rid of it now. I'd also raise the question about keeping ghostscript-gnu since upstream is quite some releases behind and noone @printing actively maintains -gnu these days.

(In reply to comment #6)
> updated ebuild
Seems to miss an epatch line regarding the CVE patch.

Thanks!
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-06 21:33:59 UTC 
=app-text/ghostscript-gpl-8.64-r2 is OK for HPPA.
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2009-03-06 22:47:15 UTC 
(In reply to comment #8)
> (In reply to comment #4)
> > Tgurr if you have any objections tell me, please. (in bug 261434)
> 
> ++. please do so. This is long overdue but I haven't had the time to check for
> possible impacts lately, seems like the best time to get rid of it now. I'd
> also raise the question about keeping ghostscript-gnu since upstream is quite
> some releases behind and noone @printing actively maintains -gnu these days.
> 
> (In reply to comment #6)
> > updated ebuild
> Seems to miss an epatch line regarding the CVE patch.
> 
> Thanks!
> 

I don't see any difference between the attached ebuild and the ebuild for -r1 either.  Is this really what you want?
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:22:30 UTC 
Created attachment 184187 [details, diff]
ghostscript-CVE-2009-0583.patch

The patch has been revised, sorry for any additional workload. It contained a possible divison by zero before.
Comment 12 Ferris McCormick (RETIRED) gentoo-dev 2009-03-07 00:29:45 UTC 
(In reply to comment #11)
> Created an attachment (id=184187) [edit]
> ghostscript-CVE-2009-0583.patch
> 
> The patch has been revised, sorry for any additional workload. It contained a
> possible divison by zero before.
> 
I still don't see how it gets applied at all???  What am I missing?
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 00:45:19 UTC 
(In reply to comment #12)
> I still don't see how it gets applied at all???  What am I missing?

My comment about the updated was targeted at maintainers -- the issue of either patch not actually being applied remains as well :-)
Comment 14 Ferris McCormick (RETIRED) gentoo-dev 2009-03-07 01:10:52 UTC 
(In reply to comment #13)
> (In reply to comment #12)
> > I still don't see how it gets applied at all???  What am I missing?
> 
> My comment about the updated was targeted at maintainers -- the issue of either
> patch not actually being applied remains as well :-)
> 
Thanks for clearing that up.  I didn't understand what was going on and was confusing myself, I guess.
Comment 15 Markus Meier gentoo-dev 2009-03-07 09:31:24 UTC 
looks good on amd64/x86.
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2009-03-07 19:04:28 UTC 
Created attachment 184259 [details]
ghostscript-gpl-8.64-patchset-3.tar.bz2

Updated patchset with updated patch. Thank you Robert.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2009-03-07 19:05:26 UTC 
Created attachment 184260 [details]
ghostscript-gpl-8.64-r2.ebuild

Timo, Ferris you were right. I forgot to add epatch line (heh, how did I saw it
correct patching line in output...). Well,  in expiation with this revision I
fixed not respecting LDFLAGS issue (bug #209803).

Arch teams, please, test this new ebuild with updated patchset.
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2009-03-07 20:41:13 UTC 
Created attachment 184271 [details]
ghostscript-gnu-8.62.0.ebuild

Finally ebuild for ghostscript-gnu-8.62.0.ebuild. To make it workable you need to download patch (attachment 184187 [details, diff] ghostscript-CVE-2009-0583.patch) and mv it into $FILESDIR/ghostscript-gnu-8.62.0-CVE-2009-0583.patch.
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2009-03-07 20:42:01 UTC 
Created attachment 184273 [details, diff]
ghostscript-gnu-8.62.0-LDFLAGS-strip.patch

Also, for ghostscript-gnu-8.62.0.ebuild you need this patch inside $FILESDIR.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2009-03-08 13:27:13 UTC 
Embargo date has been pushed back to March 19, so we have a few more days to test.
Comment 21 Ferris McCormick (RETIRED) gentoo-dev 2009-03-08 16:49:15 UTC 
Both apply the patches correctly and build on sparc.  Preliminary checkout indicates that ghostscript-gpl-8.64-r2 is good, but I'll give it more testing over the next week before saying for sure.  Unless I indicate otherwise, testing is with -gpl-8.64-r2.
Comment 22 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-11 20:48:02 UTC 
(In reply to comment #17)
> Created an attachment (id=184260) [edit]
> ghostscript-gpl-8.64-r2.ebuild
> Arch teams, please, test this new ebuild with updated patchset.

HPPA is OK again.
Comment 23 Ferris McCormick (RETIRED) gentoo-dev 2009-03-11 21:17:34 UTC 
Sparc is good for ghostscript-gpl-8.64-r2.ebuild.  The ghostcscipt-gnu-8.62.0 variant does apply the patches correctly and does build cleanly.
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-12 15:18:24 UTC 
app-text/ghostscript-gnu-8.62.0 is OK for HPPA.
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2009-03-19 19:31:14 UTC 
This is now public. Please commit with the stable keywords as gathered in this bug.
Comment 26 Peter Volkov (RETIRED) gentoo-dev 2009-03-19 20:47:20 UTC 
ebuilds commited. I've not added amd64/x86 keywords, since packages were tested before patch/ebuilds updated. sparc I'm not sure about ghostscript-gnu: do you want to stabilized it? hppa, do you want to keyword ghostscript-gnu?

Target keywords:
ghostscript-gpl-8.64-r2: alpha amd64 arm ia64 ppc ppc64 s390 sh x86
app-text/ghostscript-gnu-8.62.0: ppc64
Comment 27 Brent Baude (RETIRED) gentoo-dev 2009-03-20 15:20:09 UTC 
ppc64 done
Comment 28 Brent Baude (RETIRED) gentoo-dev 2009-03-20 15:20:20 UTC 
ppc done
Comment 29 Markus Meier gentoo-dev 2009-03-20 23:38:07 UTC 
amd64/x86 stable
Comment 30 Tobias Klausmann (RETIRED) gentoo-dev 2009-03-22 17:20:50 UTC 
Stable on alpha.
Comment 31 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-22 20:18:14 UTC 
GLSA request filed.
Comment 32 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-23 22:42:43 UTC 
GLSA 200903-37
Comment 33 Raúl Porcel (RETIRED) gentoo-dev 2009-03-25 14:52:09 UTC 
arm/ia64/s390/sh stable :D