** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Secunia Research has discovered a vulnerability in Ghostscript, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a boundary error in the included jbig2dec library while decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation may allow execution of arbitrary code. The vulnerability is confirmed in version 8.64. Other versions may also be affected. Vulnerability Details: ---------------------- The vulnerability is caused due to missing boundary checks when forming the exported symbol list from a symbol dictionary segment. Specifically, specially crafted "EXRUNLENGTH" values can result in a heap-based buffer overflow of the "SDEXSYMS" array: ====== [jbig2dec/jbig2_symbol_dict.c:696] while (j < params->SDNUMEXSYMS) { if (params->SDHUFF) /* FIXME: implement reading from huff table B.1 */ exrunlength = params->SDNUMEXSYMS; else code = jbig2_arith_int_decode(IAEX, as, &exrunlength); for(k = 0; k < exrunlength; k++) if (exflag) { SDEXSYMS->glyphs[j++] = (i < m) ? jbig2_image_clone(ctx, params->SDINSYMS->glyphs[i]) : jbig2_image_clone(ctx, SDNEWSYMS->glyphs[i-m]); i++; } exflag = !exflag; } ====== ... We have assigned this vulnerability Secunia advisory SA34292 and CVE identifier CVE-2009-0196. A preliminary disclosure date of 2009-04-08 10am CET has been set, where the details will be publicly disclosed.
Created attachment 187058 [details, diff] CVE-2009-0196.patch ghostscript-gpl upstream patch
CVE-2009-0792 -- another integer overflow has been reported. Let's wait on this bug until we have a final patch.
this is public via https://rhn.redhat.com/errata/RHSA-2009-0421.html
*** Bug 265955 has been marked as a duplicate of this bug. ***
CVE-2009-0196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0196): Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.
I've just committed ghostscript-gpl-8.64-r3 which applies the patches for both CVE's. The patch tarball could take a few minutes to hit the mirror(s) though.
cc-ing archs.
Stable for HPPA.
ppc64 done
ppc done
x86 stable
alpha/arm/ia64/s390/sh/sparc stable
(In reply to comment #6) > I've just committed ghostscript-gpl-8.64-r3 which applies the patches for both > CVE's. The patch tarball could take a few minutes to hit the mirror(s) though. What about ghostscript-gnu? Is that affected as well? I see that upstream already released 8.64.0; does that fix the issue by chance?
amd64 stable, all arches done.
GLSA together with bug 300192.
No affected package left in the tree. Nothing to do for printing anymore.
This issue was resolved and addressed in GLSA 201412-17 at http://security.gentoo.org/glsa/glsa-201412-17.xml by GLSA coordinator Sean Amoss (ackle).
