Bugzilla – Bug 491897
VUL-0: CVE-2009-0792: ghostscript-library: Another integer overflow in Ghostscript's ICC library
Last modified: 2019-05-01 15:01:22 UTC
Hi. There is a security bug in 'ghostscript-library'. This information is from 'vendor-sec'. This bug is NOT PUBLIC. There is no coordinated release date (CRD) set. CVE number: CVE-2009-0792 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0792 Original posting: ----- Forwarded message from Jan Lieskovsky <jlieskov@redhat.com> ----- Subject: Re: [vendor-sec] Another integer overflow in Ghostscript's ICC library (CVE-2009-0792) [was: Ghostscript ICC library integer overflows] From: Jan Lieskovsky <jlieskov@redhat.com> Reply-To: Jan Lieskovsky <jlieskov@redhat.com> To: vendor-sec <vendor-sec@lst.de> Cc: Tim Waugh <twaugh@redhat.com>, Ralph Giles <giles@ghostscript.com> Date: Thu, 02 Apr 2009 18:12:04 +0200 Errors-To: vendor-sec-admin@lst.de Hello vendor-sec, another integer overflow was found in the Ghostscript's ICC library. The embargo date for this issue is 2009, April the 8-th. Attached are more detailed issue details and proposed patch for current 8.64 version. There are no working PoCs known till this moment. CVE identifier of CVE-2009-0792 has been already assigned to this flaw. Let us know, if got any further questions. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team ------------------------------------------------------------------------ Description: The Ghostscript International Color Consortium Format Library (icclib), implementing support for the cross-platform device independent color profile format, is prone to integer overflow while creating reverse curve lookup acceleration table. Providing a malicious PDF file with embedded images with specially-crafted ICC profiles could cause Ghostscript to crash. Affected part of the code: /* Initialize the reverse lookup structures, and get overall min/max */ if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { return 2; } Affected versions: Ghostscript <= 8.64 CVE information: CVE-2009-0792 > On Tue, 2009-03-03 at 17:08 +0100, Jan Lieskovsky wrote: > > Hello vendor-sec, > > > > based on oCERT's 2009-003 LittleCMS integer overflows draft, we > > identified the presence of similar multiple integer overflows > > and lack for multiple upper-bounds checks on certain variable sizes in > > Ghoststcript's International Color Consortium Format Library (icclib) > > implementation. > > > > The embargo date for this issue is the same, as for LittleCMS, > > 2009 March the 9-th. > > > > Attached are more detailed issue details and proposed patch > > for current 8.64 version. > > > > There are no working PoCs known till this moment. > > > > Two CVE identifiers has been already assigned to these issues > > (concrete identifiers in draft). > > > > Let us know, if got any further questions. > > > > Regards, Jan. > > -- > > Jan iankko Lieskovsky / Red Hat Security Response Team > > > > ------------------------------------------------------------------------ > > > > Ghostscript's ICC Library integer overflows > > > > Description: > > > > The Ghostscript International Color Consortium Format Library > > (icclib), implementing support for the cross-platform device > > independent color profile format, is prone to multiple integer > > overflows and lacks multiple upper-bounds checks on certain variable > > sizes. Providing a malicious PostScript file with embedded images with > > specially-crafted ICC profiles could cause the Ghostscript (PostScript > > and PDF language interpreter and previewer) to crash, or, potentially, > > execute arbitrary code. > > > > Affected version: > > > > Ghostscript <= 8.64 > > > > CVE: > > > > CVE-2009-0583 Multiple integer overflows in the ICC Library > > CVE-2009-0584 Multiple insufficient upper-bounds checks on certain > > variable sizes in the ICC Library > > > > Credit: > > > > Jan Lieskovsky, <jlieskov [at] redhat [dot] com>, Red Hat Security > > Response Team > > > > Acknowledgements: > > > > To Chris Evans, <scarybeasts [at] gmail [dot] com> for reporting > > the original LittleCMS vulnerability and for Ghostscript's > > ICC library vulnerability presence confirmation. > > > > To Tim Waugh, <twaugh [at] redhat [dot] com> for Ghostscript's > > ICC library vulnerability presence confirmation and for > > providing patch for current 8.64 version. > > > > To Tomas Hoger <thoger [at] redhat [dot] com> for further > > patch analysis and review. > > > > Note: > > > > The provided patch should already address previous > > reservations about the LittleCMS patch (incorrect detection > > of integer overflows). > > > > Timeline: > > 2009-02-24: LittleCMS vulnerability report > > 2009-02-26: Ghostscript vulnerability identified, contacted LittleCMS > > vulnerability reporter and Ghostscript maintainer > > 2009-02-26: Vulnerability confirmed, initial solution proposal > > from maintainer > > 2009-02-27: Patch for current 8.64 version provided by maintainer > > 2009-03-02: Further patch review and improvements > > 2009-03-03: Other vendors contacted > > > > ------------------------------------------------------------- diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0792 ghostscript-8.64/icclib/icc.c --- ghostscript-8.64/icclib/icc.c.CVE-2009-0792 2009-03-24 15:43:05.000000000 +0000 +++ ghostscript-8.64/icclib/icc.c 2009-03-24 15:44:12.000000000 +0000 @@ -2979,7 +2979,7 @@ static int icmTable_setup_bwd( rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ /* Initialize the reverse lookup structures, and get overall min/max */ - if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { + if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { return 2; } ----- End forwarded message -----
Date: Thu, 2 Apr 2009 11:22:31 -0700 Subject: Re: [vendor-sec] Another integer overflow in Ghostscript's ICC library (CVE-2009-0792) [was: Ghostscript ICC library integer overflows] From: Ralph Giles <giles@ghostscript.com> To: Jan Lieskovsky <jlieskov@redhat.com> Cc: vendor-sec <vendor-sec@lst.de>, Tim Waugh <twaugh@redhat.com> Errors-To: vendor-sec-admin@lst.de On Thu, Apr 2, 2009 at 9:12 AM, Jan Lieskovsky <jlieskov@redhat.com> wrote: > Affected part of the code: > > Â Â Â Â /* Initialize the reverse lookup structures, and get overall min/max */ > Â Â Â Â if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { > Â Â Â Â Â Â Â Â return 2; > Â Â Â Â } Thanks for the patch. This one is at least more straightforward! However, I'm still trying to understand these integer overflow issues. Why is this a problem, but the earlier statement rt->rsize = (rt->size+2)/2 not? What about the previous and subsequent for(int i = 0; i < rt->size; i++) which will hang if the rt->size (which is long) is > INT_MAX? In the case of the loop, are you relying on size being limited to 2^32 by the ICC file format? -r _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Created attachment 283989 [details] ghostscript-CVE-2009-0792.patch
Created attachment 284184 [details] ghostscript-CVE-2009-0792.patch Subject: Re: [vendor-sec] Another integer overflow in Ghostscript's ICC library (CVE-2009-0792) [was: Ghostscript ICC library integer overflows] From: Jan Lieskovsky <jlieskov@redhat.com> Reply-To: Jan Lieskovsky <jlieskov@redhat.com> To: Ralph Giles <giles@ghostscript.com> Cc: vendor-sec <vendor-sec@lst.de>, Tim Waugh <twaugh@redhat.com> Date: Fri, 03 Apr 2009 17:47:38 +0200 Errors-To: vendor-sec-admin@lst.de [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃ\237e: 3,2K --] Hello Ralph, thank you for the review! On Thu, 2009-04-02 at 11:22 -0700, Ralph Giles wrote: > On Thu, Apr 2, 2009 at 9:12 AM, Jan Lieskovsky <jlieskov@redhat.com> wrote: > > > Affected part of the code: > > > > /* Initialize the reverse lookup structures, and get overall min/max */ > > if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) { > > return 2; > > } > > Thanks for the patch. This one is at least more straightforward! > > However, I'm still trying to understand these integer overflow issues. > Why is this a problem, but the earlier statement rt->rsize = > (rt->size+2)/2 not? What about the previous and subsequent for(int i = > 0; i < rt->size; i++) which will hang if the rt->size (which is long) > is > INT_MAX? In the case of the loop, are you relying on size being > limited to 2^32 by the ICC file format? You were right here. We revised the fix and identified the following potential issues still omitted: 1, 3013 for (i = 0; i < rt->size; i++) { /* i can overflow */ 2, 3021 rt->rsize = (rt->size+2)/2; /* rt->size can overflow */ 3, 3030 for (i = 0; i < (rt->size-1); i++) { /* i can overflow */ 4, 3032 s = ((rt->data[i] - rt->rmin) * rt->qscale); /* a, int = (double - double) * double */ /* b, accessing 'who knows what' for data[i], if 'i' overflows */ 5, 3033 e = ((rt->data[i+1] - rt->rmin) * rt->qscale); /* the same as above -- two issues */ 6, 3056 as *= 2 /* potential overflow */ 7, 3057 rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as); /* potential overflow */ 8, 3064 rt->rlists[j][nf++] = i; /* i could have value higher than MAX_INT due rt->size */ 9, 3105 ix = (int)floor(val); /* ix can have value < 0, which results in accessing 'who knows what' for i.e. rt->rlists[ix][i] +*/ So we fixed 1, 2, 3, 4b, 5b, 8 with assumption: + if (size > INT_MAX - 2) + /* Although rt->size is unsigned long, the rt data + * structure uses int data types to store indices. */ + return 2; + because INT_MAX <= LONG_MAX. 4a, 5a with adding checks "if (s < 0) s = 0;", "if (e < 0) e = 0: " 6, 7 with check for "if (as > INT_MAX / 2 / sizeof (int))" and finally 9 with check for "if (ix < 0)". Also replaced six occurrences of 'malloc' function at 3674, 3890, 6717, 7891, 8830 and 8840, with more safer call of 'calloc'. All the changes in more detail in attached patch against 8.64 version. Thanks && regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S. Could you please have a look and potentially review another Ghostscript issue, available at: http://bugs.ghostscript.com/show_bug.cgi?id=689917#c12 ? > > -r [-- Anhang #2: ghostscript-CVE-2009-0792.patch --] [-- Typ: text/x-patch, Kodierung: 7bit, GröÃ\237e: 5,0K --] diff -up ghostscript-8.64/icclib/icc.c.CVE-2009-0792 ghostscript-8.64/icclib/icc.c [...]
I've fixed versions for this bug, bug #492765, and bug #489622 for SLES9-SP4, SLES10-SP2, 10.3, 11.0, 11.1, and SLES11
The SWAMPID for this issue is 23762. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/23762)
Created attachment 285019 [details] ghostscript-CVE-2009-0792.patch Subject: Re: [vendor-sec] Another integer overflow in Ghostscript's ICC library (CVE-2009-0792) [was: Ghostscript ICC library integer overflows] From: Jan Lieskovsky <jlieskov@redhat.com> Reply-To: Jan Lieskovsky <jlieskov@redhat.com> To: Moritz Muehlenhoff <jmm@inutil.org> Cc: vendor-sec <vendor-sec@lst.de>, Tim Waugh <twaugh@redhat.com>, Ralph Giles <giles@ghostscript.com>, lolando@debian.org Date: Wed, 08 Apr 2009 15:50:20 +0200 Errors-To: vendor-sec-admin@lst.de [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃ\237e: 2,6K --] Hello vendor-sec, hoping it is not too late for Ghostscript :(. While preparing the Argyllcms patch we found out, there are still some insufficient checks present, so attached is updated patch for Ghostscript 8.64 and for Argyllcms. Argyllcms upstream has been contacted in a separate thread. Note: Many thanks to Tim Waugh for repeated immediate help with patches. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Werner, does this affect us?
Already done: ------------------------------------------------------------------- Tue Apr 7 17:47:57 CEST 2009 - werner@suse.de - heap-overflow in JBIG2 decoder (CVE-2009-0196) - integer overflow in ICC library (CVE-2009-0792) - crash in CCITTFax decoder (bnc#492765) - buffer overflow in BaseFont writer module (bnc#492765) -------------------------------------------------------------------
further tracking in bug 492765
Date: Wed, 22 Apr 2009 01:49:20 +0200 From: Nico Golde <nion@debian.org> To: vendor-sec@lst.de Subject: Re: [vendor-sec] Ghostscript ICC library integer overflows [was: [oCERT-2009-003 draft] LittleCMS integer overflows] Mail-Followup-To: vendor-sec@lst.de Errors-To: vendor-sec-admin@lst.de [-- PGP Ausgabe folgt (aktuelle Zeit: Mi 22 Apr 2009 08:44:43 CEST) --] gpg: Signature made Mi 22 Apr 2009 01:49:20 CEST using DSA key ID 73647CFF gpg: Unterschrift kann nicht geprüft werden: Öffentlicher Schlüssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] Hi, * Jan Lieskovsky <jlieskov@redhat.com> [2009-03-07 08:50]: > Hello vendor-sec, > > attached is revised Ghostscript ICC library patch > (against latest 8.64 version), which takes into account > also the 'division by zero' flaw. Sorry to get back to you that late, I had no time to look into the patch before and our stable updates are currently handled by Moritz. I spotted a small problem with this patch. [...] 9350 static int icc_write( 9351 icc *p, 9352 icmFile *fp, /* File to write to */ 9353 unsigned long of /* File offset to write to */ 9354 ) { 9355 char *bp, *buf; /* Buffer to write to */ 9356 unsigned int len; 9357 int rv = 0; 9358 int i; 9359 unsigned int size = 0; 9360 9361 /* Check that the right tags etc. are present for a legal ICC profile */ 9362 if ((rv = check_icc_legal(p)) != 0) { 9363 return rv; 9364 } 9365 9366 p->fp = fp; /* Open file pointer */ 9367 p->of = of; /* Offset of ICC profile */ 9368 9369 /* Compute the total size and tag element data offsets */ 9370 if (p->header == NULL) { 9371 sprintf(p->err,"icc_write: No header defined"); 9372 return p->errc = 1; 9373 } 9374 9375 size += p->header->get_size(p->header); > @@ -9373,9 +9646,19 @@ static int icc_write( > } > > size += p->header->get_size(p->header); > + if (p->errc) > + return p->errc; > > + if (p->count > (UINT_MAX - 4 - len) / 12) { > + sprintf(p->err,"icc_write: too many tags"); > + return p->errc = 1; > + } > len = 4 + p->count * 12; /* Tag table length */ > size = DO_ALIGN(size); > + if (size == 0 || size > UINT_MAX - len) { > + sprintf(p->err,"icc_write: overflow writing tag table"); > + return p->errc = 1; > + } > size += len; len is declared in 9356 but first assigned in the patch after the check for if (p->count > (UINT_MAX - 4 - len) / 12) { so this check might end up being broken :/ As this should fix len = 4 + p->count * 12; the - len looks like a mistake to me and is not needed as far as I can tell. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
debian's patch used for unstable packages: http://people.debian.org/~nion/nmu-diff/ghostscript-8.64~dfsg-1_8.64~dfsg-1.1.patch
so this should be assigned to werner so he can fix the patch I suppose
It's going worse ... is this one correct?
See ... Patch #52 (ghostscript-CVE-2009-0792.patch): + patch -p0 -b --suffix .CVE20090792 -s Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] 98 out of 98 hunks ignored -- saving rejects to file icclib/icc.c.rej btw: the attachment includes both patches for CVE-2009-0196 and CVE-2009-0792 ... I've removed the patch for CVE-2009-0196 as there was no change for CVE-2009-0196.
According to #10 the problem is in ghostscript-CVE-2009-0583.patch. IMO this is the fix: --- ghostscript-CVE-2009-0583.patch.orig 2009-05-13 16:28:19.000000000 +0200 +++ ghostscript-CVE-2009-0583.patch 2009-05-13 17:04:16.000000000 +0200 @@ -965,7 +965,7 @@ + if (p->errc) + return p->errc; -+ if (p->count > (UINT_MAX - 4 - len) / 12) { ++ if (p->count > (UINT_MAX - 4) / 12) { + sprintf(p->err,"icc_write: too many tags"); + return p->errc = 1; + }
There are some lines more ... nevertheless, I've submitted to 10.3, 11.0, 11.1, SLES10, SLES11, SLES9, and factory.
SLES10 seems to be missing ... all others there, 10.3,11.0,11.1,SLES9,SLE11 checked in.
Dirk wants this to be fixed with this update. https://bugzilla.novell.com/show_bug.cgi?id=501340
(In reply to comment #17) Just submitted (In reply to comment #18) IMHO this I've done. Only affected was 11.0, 11.1, SLES11, and Factory.
Perfect, thanks a lot.
Update released for: ghostscript-devel, ghostscript-fonts-other, ghostscript-fonts-rus, ghostscript-fonts-std, ghostscript-ijs-devel, ghostscript-library, ghostscript-library-debuginfo, ghostscript-library-debugsource, ghostscript-omni, ghostscript-x11, libgimpprint, libgimpprint-devel Products: openSUSE 10.3 (i386, ppc, x86_64) openSUSE 11.0 (debug, i386, ppc, x86_64) openSUSE 11.1 (debug, i586, ppc, x86_64)
Update released for: ghostscript-devel, ghostscript-fonts-other, ghostscript-fonts-rus, ghostscript-fonts-std, ghostscript-ijs-devel, ghostscript-library, ghostscript-library-debuginfo, ghostscript-library-debugsource, ghostscript-omni, ghostscript-x11, libgimpprint, libgimpprint-devel Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: ghostscript-fonts-other, ghostscript-fonts-rus, ghostscript-fonts-std, ghostscript-library, ghostscript-serv, ghostscript-x11, libgimpprint, libgimpprint-devel Products: Novell-Linux-Desktop 9 (i386, x86_64) Novell-Linux-POS 9 (i386) Open-Enterprise-Server 9 (i386) SUSE-CORE 9 (i386, ia64, ppc, s390, s390x, x86_64)
Update released for: ghostscript-fonts-other, ghostscript-fonts-rus, ghostscript-fonts-std, ghostscript-library, ghostscript-omni, ghostscript-x11, libgimpprint, libgimpprint-devel Products: SLE-DEBUGINFO 10-SP2 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP2 (i386, x86_64) SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
fixed
CVE-2009-0584: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)