** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **
Ghostscript's ICC Library integer overflows
The Ghostscript International Color Consortium Format Library
(icclib), implementing support for the cross-platform device
independent color profile format, is prone to multiple integer
overflows and lacks multiple upper-bounds checks on certain variable
sizes. Providing a malicious PostScript file with embedded images with
specially-crafted ICC profiles could cause the Ghostscript (PostScript
and PDF language interpreter and previewer) to crash, or, potentially,
execute arbitrary code.
Ghostscript <= 8.64
CVE-2009-0583 Multiple integer overflows in the ICC Library
CVE-2009-0584 Multiple insufficient upper-bounds checks on certain
variable sizes in the ICC Library
Jan Lieskovsky, <jlieskov [at] redhat [dot] com>, Red Hat Security
To Chris Evans, <scarybeasts [at] gmail [dot] com> for reporting
the original LittleCMS vulnerability and for Ghostscript's
ICC library vulnerability presence confirmation.
To Tim Waugh, <twaugh [at] redhat [dot] com> for Ghostscript's
ICC library vulnerability presence confirmation and for
providing patch for current 8.64 version.
To Tomas Hoger <thoger [at] redhat [dot] com> for further
patch analysis and review.
The provided patch should already address previous
reservations about the LittleCMS patch (incorrect detection
of integer overflows).
2009-02-24: LittleCMS vulnerability report
2009-02-26: Ghostscript vulnerability identified, contacted LittleCMS
vulnerability reporter and Ghostscript maintainer
2009-02-26: Vulnerability confirmed, initial solution proposal
2009-02-27: Patch for current 8.64 version provided by maintainer
2009-03-02: Further patch review and improvements
2009-03-03: Other vendors contacted
This seems to affect all three ghostscript implementations we have in the tree, the patch applies to -gnu and -esp with fuzz.
Created attachment 183782 [details, diff]
Our target would be to prepare ebuilds for all three applications applying the patch (tgurr,pva?) and attach it to this bug report. Then we'll do prestable testing here.
ghostscript-esp must die as it was end of lifed more then year ago. I'll keyword -gpl on mips this evening and schedule removal and mask it today or this weekend.
Tgurr if you have any objections tell me, please. (in bug 261434)
Created attachment 184125 [details]
Patchset for ghostscript-gpl. Drop it into /usr/portage/distfiles.
Created attachment 184127 [details]
updated ebuild. ghostscript-gnu will come with version bump a later today, after I test it.
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug:
Please make sure you note whether your tests are for ghostscript-gpl or ghostscript-gnu for easier reconstruction later on, thanks!
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
CC'ing current Liaisons:
alpha : yoswink, armin76
amd64 : keytoaster, tester
hppa : jer
ppc : dertobi123
ppc64 : corsair
sparc : fmccor
x86 : maekke, armin76
(In reply to comment #4)
> Tgurr if you have any objections tell me, please. (in bug 261434)
++. please do so. This is long overdue but I haven't had the time to check for possible impacts lately, seems like the best time to get rid of it now. I'd also raise the question about keeping ghostscript-gnu since upstream is quite some releases behind and noone @printing actively maintains -gnu these days.
(In reply to comment #6)
> updated ebuild
Seems to miss an epatch line regarding the CVE patch.
=app-text/ghostscript-gpl-8.64-r2 is OK for HPPA.
(In reply to comment #8)
> (In reply to comment #4)
> > Tgurr if you have any objections tell me, please. (in bug 261434)
> ++. please do so. This is long overdue but I haven't had the time to check for
> possible impacts lately, seems like the best time to get rid of it now. I'd
> also raise the question about keeping ghostscript-gnu since upstream is quite
> some releases behind and noone @printing actively maintains -gnu these days.
> (In reply to comment #6)
> > updated ebuild
> Seems to miss an epatch line regarding the CVE patch.
I don't see any difference between the attached ebuild and the ebuild for -r1 either. Is this really what you want?
Created attachment 184187 [details, diff]
The patch has been revised, sorry for any additional workload. It contained a possible divison by zero before.
(In reply to comment #11)
> Created an attachment (id=184187) 
> The patch has been revised, sorry for any additional workload. It contained a
> possible divison by zero before.
I still don't see how it gets applied at all??? What am I missing?
(In reply to comment #12)
> I still don't see how it gets applied at all??? What am I missing?
My comment about the updated was targeted at maintainers -- the issue of either patch not actually being applied remains as well :-)
(In reply to comment #13)
> (In reply to comment #12)
> > I still don't see how it gets applied at all??? What am I missing?
> My comment about the updated was targeted at maintainers -- the issue of either
> patch not actually being applied remains as well :-)
Thanks for clearing that up. I didn't understand what was going on and was confusing myself, I guess.
looks good on amd64/x86.
Created attachment 184259 [details]
Updated patchset with updated patch. Thank you Robert.
Created attachment 184260 [details]
Timo, Ferris you were right. I forgot to add epatch line (heh, how did I saw it
correct patching line in output...). Well, in expiation with this revision I
fixed not respecting LDFLAGS issue (bug #209803).
Arch teams, please, test this new ebuild with updated patchset.
Created attachment 184271 [details]
Finally ebuild for ghostscript-gnu-8.62.0.ebuild. To make it workable you need to download patch (attachment 184187 [details, diff] ghostscript-CVE-2009-0583.patch) and mv it into $FILESDIR/ghostscript-gnu-8.62.0-CVE-2009-0583.patch.
Created attachment 184273 [details, diff]
Also, for ghostscript-gnu-8.62.0.ebuild you need this patch inside $FILESDIR.
Embargo date has been pushed back to March 19, so we have a few more days to test.
Both apply the patches correctly and build on sparc. Preliminary checkout indicates that ghostscript-gpl-8.64-r2 is good, but I'll give it more testing over the next week before saying for sure. Unless I indicate otherwise, testing is with -gpl-8.64-r2.
(In reply to comment #17)
> Created an attachment (id=184260) 
> Arch teams, please, test this new ebuild with updated patchset.
HPPA is OK again.
Sparc is good for ghostscript-gpl-8.64-r2.ebuild. The ghostcscipt-gnu-8.62.0 variant does apply the patches correctly and does build cleanly.
app-text/ghostscript-gnu-8.62.0 is OK for HPPA.
This is now public. Please commit with the stable keywords as gathered in this bug.
ebuilds commited. I've not added amd64/x86 keywords, since packages were tested before patch/ebuilds updated. sparc I'm not sure about ghostscript-gnu: do you want to stabilized it? hppa, do you want to keyword ghostscript-gnu?
ghostscript-gpl-8.64-r2: alpha amd64 arm ia64 ppc ppc64 s390 sh x86
Stable on alpha.
GLSA request filed.
arm/ia64/s390/sh stable :D