Ghostscript: User-assisted execution of arbitrary code
1.
Gentoo Linux Security Advisory
Version Information
Advisory Reference |
GLSA 200903-37 / ghostscript-gpl ghostscript-esp ghostscript-gnu |
Release Date |
March 23, 2009 |
Latest Revision |
March 23, 2009: 01 |
Impact |
normal |
Exploitable |
remote |
Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
app-text/ghostscript-gpl |
<
8.64-r2 |
>=
8.64-r2 |
All supported architectures
|
app-text/ghostscript-gnu |
<
8.62.0 |
>=
8.62.0 |
All supported architectures
|
app-text/ghostscript-esp |
<=
8.15.4-r1 |
|
All supported architectures
|
Related bugreports:
#261087
Synopsis
Multiple integer overflows in the Ghostscript ICC library might allow for
user-assisted execution of arbitrary code.
2.
Impact Information
Background
Ghostscript is an interpreter for the PostScript language and the
Portable Document Format (PDF).
Description
Jan Lieskovsky from the Red Hat Security Response Team discovered the
following vulnerabilities in Ghostscript's ICC Library:
- Multiple integer overflows (CVE-2009-0583).
- Multiple
insufficient bounds checks on certain variable sizes
(CVE-2009-0584).
Impact
A remote attacker could entice a user to open a specially crafted
PostScript file containing images and a malicious ICC profile, possibly
resulting in the execution of arbitrary code with the privileges of the
user running the application.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All GPL Ghostscript users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-8.64-r2"
|
All GNU Ghostscript users should upgrade to the latest version:
Code Listing 3.2: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gnu-8.62.0"
|
We recommend that users unmerge ESP Ghostscript and use GPL or GNU
Ghostscript instead:
Code Listing 3.3: Resolution |
# emerge --unmerge "app-text/ghostscript-esp"
|
For installation instructions, see above.
4.
References
|