Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 437654 - <app-text/ghostscript-gpl-9.10-r2: Multiple integer underflows (CVE-2012-4405)
Summary: <app-text/ghostscript-gpl-9.10-r2: Multiple integer underflows (CVE-2012-4405)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: CVE-2013-6891
  Show dependency tree
 
Reported: 2012-10-09 00:39 UTC by GLSAMaker/CVETool Bot
Modified: 2014-12-13 17:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch from debian (CVE-2012-4405.dpatch,876 bytes, application/x-shellscript)
2014-01-23 22:55 UTC, Andreas K. Hüttel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-10-09 00:39:07 UTC
CVE-2012-4405 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4405):
  Multiple integer underflows in the icmLut_allocate function in International
  Color Consortium (ICC) Format library (icclib), as used in Ghostscript 9.06
  and Argyll Color Management System, allow remote attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via a crafted (1)
  PostScript or (2) PDF file with embedded images, which triggers a heap-based
  buffer overflow.  NOTE: this issue is also described as an array index
  error.
Comment 1 Daniel Bumke 2013-02-24 14:11:34 UTC
Are the current stable versions affected by this? (i.e. do they use the bundled icclib?)
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2013-05-06 21:41:30 UTC
(In reply to comment #1)
> Are the current stable versions affected by this? (i.e. do they use the
> bundled icclib?)

Yes, see bug 206893
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2014-01-23 22:55:56 UTC
Created attachment 368598 [details]
patch from debian

This is what Ubuntu uses, source is acknowledged as RH. More later.
Comment 4 Timo Gurr (RETIRED) gentoo-dev 2014-02-09 20:50:24 UTC
Okay more research would've been needed here (please screw my -r1 ebuild).

Fedora removed the bundled lib already since gs 9.05:

http://pkgs.fedoraproject.org/cgit/ghostscript.git/commit/?id=6d215360a2e3a6f683beca044836ad6feb56c540

As of ghostscript-gpl-9.07 it isn't even shipped within the upstream tarball anymore, it has been replaced by lcms{,2}. Upstream commit:

http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d8ca80d1cb480702c109414c46e381981c94ddcb

BUT our current stable version is still 9.05-r1 which bundles the library so the bug is still valid.

I've committed a new revision for 9.10 which just includes two upstream fixes for known segfault issues. I'd like to get ghostscript-gpl-9.10-r2 stabilized. As always there are a few open bugs but none are show stoppers.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2014-02-10 02:43:43 UTC
Sounds good to me. Arches, please test and stabilize:
=app-text/ghostscript-gpl-9.10-r2
Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-10 16:38:44 UTC
--- cups-filters-1.0.36-r1.ebuild       2014-01-16 19:06:50.099068746 +0100
+++ cups-filters-1.0.43-r1.ebuild       2014-01-05 22:54:10.000000000 +0100
[...]
 RDEPEND="
-       <app-text/ghostscript-gpl-9.09
+       >=app-text/ghostscript-gpl-9.09

Can we get some confirmation on stabilising both?
Comment 7 Andreas K. Hüttel archtester gentoo-dev 2014-02-10 17:22:15 UTC
(In reply to Jeroen Roovers from comment #6)

I see no problems with that. (The version dep is a protection against file collissions, but I see no real reasons to backport it, ...43 should be fine.)

Arches, please test and stabilize with target
"alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=app-text/ghostscript-gpl-9.10-r2
=net-print/cups-filters-1.0.43-r1

[You will get a block when you have foomatic-filters in your WORLD file. You'll need to deselect it and it will get unmerged then.]
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-10 19:25:16 UTC
(In reply to Andreas K. Hüttel from comment #7)
> (In reply to Jeroen Roovers from comment #6)
> 
> I see no problems with that. (The version dep is a protection against file
> collissions, but I see no real reasons to backport it, ...43 should be fine.)
> 
> Arches, please test and stabilize with target
> "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
> 
> =app-text/ghostscript-gpl-9.10-r2
> =net-print/cups-filters-1.0.43-r1
> 
> [You will get a block when you have foomatic-filters in your WORLD file.
> You'll need to deselect it and it will get unmerged then.]

That would reversely pull in =net-print/cups-1.7.1 because of =net-print/cups-1.6.4's dependency on net-print/foomatic-filters
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2014-02-12 17:23:23 UTC
(In reply to Jeroen Roovers from comment #8)
> 
> That would reversely pull in =net-print/cups-1.7.1 because of
> =net-print/cups-1.6.4's dependency on net-print/foomatic-filters

Should be fixed, I've changed that in cups-1.6.4 to read 
|| ( >=net-print/cups-filters-1.0.43-r1[foomatic] net-print/foomatic-filters )
Comment 10 Timo Gurr (RETIRED) gentoo-dev 2014-02-12 19:33:28 UTC
Just a note to avoid any confusion since I've just added -r3, the candidate for stabilization is still -r2 for now.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-13 16:04:44 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2014-02-15 21:18:47 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-02-15 21:28:24 UTC
x86 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-02-16 07:34:54 UTC
alpha stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-02-16 12:07:39 UTC
ia64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-02-17 21:08:04 UTC
arm stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-02-20 14:18:48 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-02-20 14:19:13 UTC
ppc64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-02-20 14:21:14 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Timo Gurr (RETIRED) gentoo-dev 2014-03-26 17:37:21 UTC
(In reply to Agostino Sarubbo from comment #19)
> Maintainer(s), please cleanup.

Cleanup is done.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2014-04-24 02:52:50 UTC
Arches and Maintainer(s), Thank you for your work.

Added to new GLSA Request
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 17:55:40 UTC
This issue was resolved and addressed in
 GLSA 201412-17 at http://security.gentoo.org/glsa/glsa-201412-17.xml
by GLSA coordinator Sean Amoss (ackle).