Vigil@nce: Ghostscript, integer overflows via ICC
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a malicious PDF or PS
file with Ghostscript in order to execute code with victim’s
privileges.
Gravity: 2/4
Consequences: user access/rights, denial of service of client
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/03/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– OpenSUSE
– Red Hat Enterprise Linux
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ICC (International Color Consortium) profile defines color
variations needed by each device in order to display identical
colors. Some image types, such as JPEG or PNG, can contain ICC
profiles and can be included in a PDF or PostScript document.
The icclib/icc.c file of Ghostscript implements ICC. However, this
file contains several errors in the handling of integers coming
from an ICC profile. These integer overflows can corrupt the
memory.
An attacker can therefore invite the victim to open a malicious
PDF or PS file with Ghostscript in order to execute code with
victim’s privileges.
CHARACTERISTICS
Identifiers: BID-34184, CVE-2009-0583, CVE-2009-0584, DSA 1746-1,
FEDORA-2009-2883, FEDORA-2009-2885, FEDORA-2009-3011,
FEDORA-2009-3031, RHSA-2009:0345-01, SUSE-SR:2009:007,
VIGILANCE-VUL-8547
http://vigilance.fr/vulnerability/Ghostscript-integer-overflows-via-ICC-8547