Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 264594 (CVE-2009-0196) - <app-text/ghostscript-gpl-8.64-r3 jbig2dec JBIG2 Buffer Overflow / ICC Integer overflow (CVE-2009-{0196,0792})
Summary: <app-text/ghostscript-gpl-8.64-r3 jbig2dec JBIG2 Buffer Overflow / ICC Intege...
Status: RESOLVED FIXED
Alias: CVE-2009-0196
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
: 265955 (view as bug list)
Depends on:
Blocks: CVE-2009-4270
  Show dependency tree
 
Reported: 2009-04-02 10:23 UTC by Robert Buchholz (RETIRED)
Modified: 2014-12-13 17:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2009-0196.patch (CVE-2009-0196.patch,1.83 KB, patch)
2009-04-02 10:25 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:23:24 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Secunia Research has discovered a vulnerability in Ghostscript, which
can be exploited by malicious people to potentially compromise a user's
system.

The vulnerability is caused due to a boundary error in the included
jbig2dec library while decoding JBIG2 symbol dictionary segments. This
can be exploited to cause a heap-based buffer overflow via a specially
crafted PDF file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 8.64. Other versions may also
be affected.

Vulnerability Details:
----------------------

The vulnerability is caused due to missing boundary checks when forming
the exported symbol list from a symbol dictionary segment. Specifically,
specially crafted "EXRUNLENGTH" values can result in a heap-based buffer
overflow of the "SDEXSYMS" array:

======
[jbig2dec/jbig2_symbol_dict.c:696]
    while (j < params->SDNUMEXSYMS) {
      if (params->SDHUFF)
        /* FIXME: implement reading from huff table B.1 */
        exrunlength = params->SDNUMEXSYMS;
      else
        code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
      for(k = 0; k < exrunlength; k++)
        if (exflag) {
          SDEXSYMS->glyphs[j++] = (i < m) ? 
            jbig2_image_clone(ctx, params->SDINSYMS->glyphs[i]) :
            jbig2_image_clone(ctx, SDNEWSYMS->glyphs[i-m]);
          i++;
        }
        exflag = !exflag;
    }
======

...

We have assigned this vulnerability Secunia advisory SA34292 and CVE
identifier CVE-2009-0196.

A preliminary disclosure date of 2009-04-08 10am CET has been set, where
the details will be publicly disclosed.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 10:25:12 UTC
Created attachment 187058 [details, diff]
CVE-2009-0196.patch

ghostscript-gpl upstream patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 18:53:58 UTC
CVE-2009-0792 -- another integer overflow has been reported. Let's wait on this bug until we have a final patch.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 16:04:37 UTC
this is public via https://rhn.redhat.com/errata/RHSA-2009-0421.html
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 16:06:03 UTC
*** Bug 265955 has been marked as a duplicate of this bug. ***
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-04-16 21:52:31 UTC
CVE-2009-0196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0196):
  Heap-based buffer overflow in the big2_decode_symbol_dict function
  (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in
  Ghostscript 8.64, and probably earlier versions, allows remote
  attackers to execute arbitrary code via a PDF file with a JBIG2
  symbol dictionary segment with a large run length value.

Comment 6 Timo Gurr (RETIRED) gentoo-dev 2009-04-17 02:09:50 UTC
I've just committed ghostscript-gpl-8.64-r3 which applies the patches for both CVE's. The patch tarball could take a few minutes to hit the mirror(s) though.
Comment 7 Hanno Böck gentoo-dev 2009-05-04 10:20:06 UTC
cc-ing archs.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-05-04 17:26:26 UTC
Stable for HPPA.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-05-04 17:29:02 UTC
ppc64 done
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-05-04 17:29:10 UTC
ppc done
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-05-04 21:32:01 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-05-05 16:33:12 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-05 22:16:58 UTC
(In reply to comment #6)
> I've just committed ghostscript-gpl-8.64-r3 which applies the patches for both
> CVE's. The patch tarball could take a few minutes to hit the mirror(s) though.

What about ghostscript-gnu? Is that affected as well? I see that upstream already released 8.64.0; does that fix the issue by chance?
Comment 14 Markus Meier gentoo-dev 2009-05-06 20:52:40 UTC
amd64 stable, all arches done.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-11 20:36:04 UTC
GLSA together with bug 300192.
Comment 16 Andreas K. Hüttel archtester gentoo-dev 2011-06-02 19:22:32 UTC
No affected package left in the tree. 
Nothing to do for printing anymore.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 17:55:13 UTC
This issue was resolved and addressed in
 GLSA 201412-17 at http://security.gentoo.org/glsa/glsa-201412-17.xml
by GLSA coordinator Sean Amoss (ackle).